non root user and fix book/html calibre (#856)

* non root user and fix book/html calibre

* version bump

* Update docker-compose-latest.yml

* remove customApp

---------

Co-authored-by: systo <systo@host.docker.internal>

Dockerfile

@@ -1,6 +1,23 @@
 # Main stage
 FROM alpine:3.19.1
 
+# Copy necessary files
+COPY scripts /scripts
+COPY pipeline /pipeline
+COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto
+COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto
+COPY build/libs/*.jar app.jar
+
+ARG VERSION_TAG
+
+
+# Set Environment Variables
+ENV DOCKER_ENABLE_SECURITY=false \
+    VERSION_TAG=$VERSION_TAG \
+    JAVA_TOOL_OPTIONS="$JAVA_TOOL_OPTIONS -XX:MaxRAMPercentage=75" \
+	HOME=/home/stirlingpdfuser
+
+
 # JDK for app
 RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories && \
     echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories && \
@@ -12,6 +29,7 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et
         bash \
         curl \
         openjdk17-jre \
+        su-exec \
 # Doc conversion
         libreoffice@testing \
 # OCR MY PDF (unpaper for descew and other advanced featues)
@@ -24,46 +42,18 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et
     wget https://bootstrap.pypa.io/get-pip.py -qO - | python3 - --break-system-packages --no-cache-dir --upgrade && \
 # uno unoconv and HTML
     pip install --break-system-packages --no-cache-dir --upgrade unoconv WeasyPrint && \
-    mv /usr/share/tessdata /usr/share/tessdata-original
-
-
-
-ARG VERSION_TAG
-
-# Set Environment Variables
-ENV DOCKER_ENABLE_SECURITY=false \
-    HOME=/home/stirlingpdfuser \
-    VERSION_TAG=$VERSION_TAG \
-    JAVA_TOOL_OPTIONS="$JAVA_TOOL_OPTIONS -XX:MaxRAMPercentage=75"
-#    PUID=1000 \
-#    PGID=1000 \
-#    UMASK=022 \
-
-# Copy necessary files
-COPY scripts /scripts
-COPY pipeline /pipeline
-COPY src/main/resources/static/fonts/*.ttf /usr/share/fonts/opentype/noto
-COPY src/main/resources/static/fonts/*.otf /usr/share/fonts/opentype/noto
-COPY build/libs/*.jar app.jar
-
-# Create user and group
-##RUN groupadd -g $PGID stirlingpdfgroup && \
-##    useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \
-##    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME && \
-# Set up necessary directories and permissions
-RUN mkdir -p  /configs /logs /customFiles /pipeline/watchedFolders /pipeline/finishedFolders && \
-##&& \
-##    chown -R stirlingpdfuser:stirlingpdfgroup /scripts /usr/share/fonts/opentype/noto /usr/share/tesseract-ocr /configs /customFiles && \
-##    chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/tesseract-ocr-original && \
-# Set font cache and permissions
+    mv /usr/share/tessdata /usr/share/tessdata-original && \
+    mkdir -p $HOME /configs /logs /customFiles /pipeline/watchedFolders /pipeline/finishedFolders && \
     fc-cache -f -v && \
-    chmod +x /scripts/*
-##    chown stirlingpdfuser:stirlingpdfgroup /app.jar && \
-##    chmod +x /scripts/init.sh
+    chmod +x /scripts/* && \
+    chmod +x /scripts/init.sh && \
+# User permissions
+    addgroup -S stirlingpdfgroup && adduser -S stirlingpdfuser -G stirlingpdfgroup && \
+    chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts /usr/share/fonts/opentype/noto  /configs /customFiles /pipeline && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar
 
 EXPOSE 8080
 
 # Set user and run command
-##USER stirlingpdfuser
 ENTRYPOINT ["tini", "--", "/scripts/init.sh"]
 CMD ["java", "-Dfile.encoding=UTF-8", "-jar", "/app.jar"]

Dockerfile-lite

@@ -8,9 +8,6 @@ ENV DOCKER_ENABLE_SECURITY=false \
     HOME=/home/stirlingpdfuser \
     VERSION_TAG=$VERSION_TAG \
     JAVA_TOOL_OPTIONS="$JAVA_TOOL_OPTIONS -XX:MaxRAMPercentage=75"
-#   PUID=1000 \
-#   PGID=1000 \
-#   UMASK=022 \
 
 # Copy necessary files
 COPY scripts/download-security-jar.sh /scripts/download-security-jar.sh
@@ -30,24 +27,24 @@ RUN echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /et
         bash \
         curl \
         openjdk17-jre \
+        su-exec \
 # Doc conversion
    libreoffice@testing \
 # python and pip
         python3 && \
         wget https://bootstrap.pypa.io/get-pip.py -qO - | python3 - --break-system-packages --no-cache-dir --upgrade && \
 # uno unoconv and HTML
     pip install --break-system-packages --no-cache-dir --upgrade unoconv WeasyPrint && \
-# Create user and group
-#RUN groupadd -g $PGID stirlingpdfgroup && \
-#    useradd -u $PUID -g stirlingpdfgroup -s /bin/sh stirlingpdfuser && \
-#    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME
 # Set up necessary directories and permissions
     mkdir -p /configs /logs /customFiles /pipeline/watchedFolders /pipeline/finishedFolders && \
-#    chown -R stirlingpdfuser:stirlingpdfgroup /usr/share/fonts/opentype/noto /configs /customFiles
 # Set font cache and permissions
     fc-cache -f -v && \
-    chmod +x /scripts/*.sh
-#    chown stirlingpdfuser:stirlingpdfgroup /app.jar
+    chmod +x /scripts/*.sh && \
+# User permissions
+    addgroup -S stirlingpdfgroup && adduser -S stirlingpdfuser -G stirlingpdfgroup && \
+    chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts /usr/share/fonts/opentype/noto  /configs /customFiles /pipeline && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar    
+
 
 # Set environment variables
 ENV ENDPOINTS_GROUPS_TO_REMOVE=OpenCV,OCRmyPDF
@@ -56,6 +53,6 @@ ENV DOCKER_ENABLE_SECURITY=false
 EXPOSE 8080
 
 # Run the application
-#USER stirlingpdfuser
+
 ENTRYPOINT ["tini", "--", "/scripts/init-without-ocr.sh"]
 CMD ["java", "-Dfile.encoding=UTF-8", "-jar", "/app.jar"]

Dockerfile-ultra-lite

@@ -18,27 +18,26 @@ COPY scripts/init-without-ocr.sh /scripts/init-without-ocr.sh
 COPY pipeline /pipeline
 COPY build/libs/*.jar app.jar
 
-# Create user and group using Alpine's addgroup and adduser
-#RUN addgroup -g $PGID stirlingpdfgroup && \
-#    adduser -u $PUID -G stirlingpdfgroup -s /bin/sh -D stirlingpdfuser && \
-#    mkdir -p $HOME && chown stirlingpdfuser:stirlingpdfgroup $HOME
+
 # Set up necessary directories and permissions
-#RUN mkdir -p /scripts /configs /customFiles && \
-#    chown -R stirlingpdfuser:stirlingpdfgroup /scripts /configs /customFiles /logs /pipeline /pipeline/defaultWebUIConfigs /pipeline/watchedFolders /pipeline/finishedFolders
+
 RUN mkdir /configs /logs /customFiles && \
-# Set font cache and permissions
-#RUN chown stirlingpdfuser:stirlingpdfgroup /app.jar
     chmod +x /scripts/*.sh && \
     apk add --no-cache \
         ca-certificates \
         tzdata \
         tini \
         bash \
         curl \
+        su-exec \
         openjdk17-jre && \
     echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories && \
     echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories && \
-    echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories
+    echo "@testing https://dl-cdn.alpinelinux.org/alpine/edge/testing" | tee -a /etc/apk/repositories && \
+    # User permissions
+    addgroup -S stirlingpdfgroup && adduser -S stirlingpdfuser -G stirlingpdfgroup && \
+    chown -R stirlingpdfuser:stirlingpdfgroup $HOME /scripts  /configs /customFiles /pipeline && \
+    chown stirlingpdfuser:stirlingpdfgroup /app.jar    
 
 # Set environment variables
 ENV ENDPOINTS_GROUPS_TO_REMOVE=CLI

README.md

@@ -114,6 +114,7 @@ docker run -d \
   -v /location/of/extraConfigs:/configs \
   -v /location/of/logs:/logs \
   -e DOCKER_ENABLE_SECURITY=false \
+  -e INSTALL_BOOK_AND_ADVANCED_HTML_OPS=false \
   --name stirling-pdf \
   frooodle/s-pdf:latest
 
@@ -137,6 +138,7 @@ services:
 #      - /location/of/logs:/logs/
     environment:
       - DOCKER_ENABLE_SECURITY=false
+      - INSTALL_BOOK_AND_ADVANCED_HTML_OPS=false
 ```
 
 Note: Podman is CLI-compatible with Docker, so simply replace "docker" with "podman".
@@ -228,6 +230,7 @@ metrics:
 - ``SYSTEM_ROOTURIPATH`` ie set to ``/pdf-app`` to Set the application's root URI to ``localhost:8080/pdf-app``
 - ``SYSTEM_CONNECTIONTIMEOUTMINUTES`` to set custom connection timeout values
 - ``DOCKER_ENABLE_SECURITY`` to tell docker to download security jar (required as true for auth login)
+- ``INSTALL_BOOK_AND_ADVANCED_HTML_OPS`` to download calibre onto stirling-pdf enabling pdf to/from book and advanced html conversion
 
 ## API
 For those wanting to use Stirling-PDFs backend API to link with their own custom scripting to edit PDFs you can view all existing API documentation

build.gradle

@@ -12,7 +12,7 @@ plugins {
 import com.github.jk1.license.render.*
 
 group = 'stirling.software'
-version = '0.21.0'
+version = '0.22.0'
 sourceCompatibility = '17'
 
 repositories {

scripts/download-security-jar.sh

@@ -14,6 +14,8 @@ if [ "$DOCKER_ENABLE_SECURITY" = "true" ] && [ "$VERSION_TAG" != "alpha" ]; then
         if [ $? -eq 0 ]; then  # checks if curl was successful
             rm -f app.jar
             ln -s app-security.jar app.jar
+            chown stirlingpdfuser:stirlingpdfgroup app.jar
+            chmod 755 app.jar
         fi
     fi
 fi

scripts/init-without-ocr.sh

@@ -1,6 +1,14 @@
 #!/bin/sh
 
+echo "Setting permissions and ownership for necessary directories..."
+chown -R stirlingpdfuser:stirlingpdfgroup /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
+chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
+if [[ "$INSTALL_BOOK_AND_ADVANCED_HTML_OPS" == "true" ]]; then
+  apk add --no-cache calibre@testing
+fi
+
+
 /scripts/download-security-jar.sh
 
 # Run the main command
-exec "$@"
+exec su-exec stirlingpdfuser "$@"

scripts/init.sh

@@ -13,18 +13,35 @@ if [ -d /usr/share/tesseract-ocr/5/tessdata ]; then
         cp -r /usr/share/tesseract-ocr/5/tessdata/* /usr/share/tessdata || true;
 fi
 
+echo "Setting permissions and ownership for necessary directories..."
+chown -R stirlingpdfuser:stirlingpdfgroup /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
+chmod -R 755 /logs /scripts /usr/share/fonts/opentype/noto /usr/share/tessdata /configs /customFiles
+
+
+
+
 # Check if TESSERACT_LANGS environment variable is set and is not empty
 if [[ -n "$TESSERACT_LANGS" ]]; then
   # Convert comma-separated values to a space-separated list
   LANGS=$(echo $TESSERACT_LANGS | tr ',' ' ')
-
+  pattern='^[a-zA-Z]{2,4}(_[a-zA-Z]{2,4})?$'
   # Install each language pack
   for LANG in $LANGS; do
-    apt-get install -y "tesseract-ocr-$LANG"
+     if [[ $LANG =~ $pattern ]]; then
+      apk add --no-cache "tesseract-ocr-data-$LANG"
+     else
+      echo "Skipping invalid language code"
+     fi
   done
 fi
 
+if [[ "$INSTALL_BOOK_AND_ADVANCED_HTML_OPS" == "true" ]]; then
+  apk add --no-cache calibre@testing
+fi
+
+
+
 /scripts/download-security-jar.sh
 
-# Run the main command
-exec "$@"
+# Run the main command and switch to stirling user for rest of run
+exec su-exec stirlingpdfuser "$@"

src/main/java/stirling/software/SPDF/SPdfApplication.java

@@ -6,14 +6,15 @@
 import java.nio.file.Paths;
 import java.util.Collections;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.core.env.Environment;
 import org.springframework.scheduling.annotation.EnableScheduling;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+
 import io.github.pixee.security.SystemCommand;
 
 import jakarta.annotation.PostConstruct;
@@ -64,7 +65,8 @@ public static void main(String[] args) throws IOException, InterruptedException
                     Collections.singletonMap(
                             "spring.config.additional-location", "file:configs/settings.yml"));
         } else {
-            logger.warn("External configuration file 'configs/settings.yml' does not exist. Using default configuration and environment configuration instead.");
+            logger.warn(
+                    "External configuration file 'configs/settings.yml' does not exist. Using default configuration and environment configuration instead.");
         }
         app.run(args);
 

src/main/java/stirling/software/SPDF/config/AppConfig.java

@@ -79,9 +79,10 @@ public boolean runningInDocker() {
 
     @Bean(name = "bookAndHtmlFormatsInstalled")
     public boolean bookAndHtmlFormatsInstalled() {
-        return applicationProperties
-                .getSystem()
-                .getCustomApplications()
-                .isInstallBookAndHtmlFormats();
+        String installOps = System.getProperty("INSTALL_BOOK_AND_ADVANCED_HTML_OPS");
+        if (installOps == null) {
+            installOps = System.getenv("INSTALL_BOOK_AND_ADVANCED_HTML_OPS");
+        }
+        return "true".equalsIgnoreCase(installOps);
     }
 }