Use non-root user in Docker (#571)

## Type of change

- [ ] Bug fix
- [x] New feature development
- [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [ ] Other

## Objective

Use a non-root user in Docker. There doesn't seem to be an agreed upon
standard for what to name the non-root user, so I named it _app_, as I
followed the general guidance from [this MS blog
post](https://devblogs.microsoft.com/dotnet/securing-containers-with-rootless/).

A `BWS_CONFIG_FILE` environment variable was added to `bws` as well to
make it easier to avoid guessing where the correct config file dir is if
you are unaware of the _app_ user's name (and therefor, their home
directory).

## Code changes

- **crates/bws/Dockerfile:** Use a non-root user.
- **crates/bws/README.md:** Document using the CLI with Docker.
- **crates/bws/src/main.rs:** Add `BWS_CONFIG_FILE` environment
variable.
- **crates/bws/CHANGELOG.md:** Update changelog.

## Before you submit

- Please add **unit tests** where it makes sense to do so

crates/bws/CHANGELOG.md

@@ -10,6 +10,7 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ### Changed
 
 - Switched TLS backend to `rustls`, removing the dependency on `OpenSSL`.
+- Add a `BWS_CONFIG_FILE` environment variable to specify the location of the config file (#571)
 
 ## [0.4.0] - 2023-12-21
 

crates/bws/Dockerfile

@@ -30,5 +30,12 @@ WORKDIR /usr/local/bin
 COPY --from=build /app/target/release/bws .
 COPY --from=build /etc/ssl/certs /etc/ssl/certs
 
-ENTRYPOINT ["bws"]
+# Create a non-root user
+RUN useradd -ms /bin/bash app
+
+# Switch to the non-root user
+USER app
 
+WORKDIR /home/app
+
+ENTRYPOINT ["bws"]

crates/bws/README.md

@@ -44,3 +44,21 @@ echo 'source <(/path/to/bws completions bash)' >> ~/.bashrc
 
 For more detailed documentation, please refer to the
 [Secrets Manager CLI help article](https://bitwarden.com/help/secrets-manager-cli/).
+
+## Docker
+
+We also provide a docker image preloaded with the `bws` cli.
+
+```bash
+# From the root of the repository
+docker build -f crates/bws/Dockerfile -t bitwarden/bws .
+
+docker run --rm -it bitwarden/bws --help
+```
+
+To use a configuration file, utilize docker
+[bind mounting](https://docs.docker.com/storage/bind-mounts/) to expose it to the container:
+
+```bash
+docker run --rm -it -v "$HOME"/.bws:/home/app/.bws bitwarden/bws --help
+```

crates/bws/src/main.rs

@@ -47,6 +47,7 @@ struct Cli {
         short = 'f',
         long,
         global = true,
+        env = CONFIG_FILE_KEY_VAR_NAME,
         help = format!("[default: ~/{}/{}] Config file to use", config::DIRECTORY, config::FILENAME)
     )]
     config_file: Option<PathBuf>,
@@ -228,6 +229,7 @@ async fn main() -> Result<()> {
 }
 
 const ACCESS_TOKEN_KEY_VAR_NAME: &str = "BWS_ACCESS_TOKEN";
+const CONFIG_FILE_KEY_VAR_NAME: &str = "BWS_CONFIG_FILE";
 const PROFILE_KEY_VAR_NAME: &str = "BWS_PROFILE";
 const SERVER_URL_KEY_VAR_NAME: &str = "BWS_SERVER_URL";