From ff94313e209daebb1ccd5fb7b576256ae5a767b2 Mon Sep 17 00:00:00 2001 From: tangowithfoxtrot <5676771+tangowithfoxtrot@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:40:28 -0800 Subject: [PATCH] Use non-root user in Docker (#571) ## Type of change - [ ] Bug fix - [x] New feature development - [x] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ## Objective Use a non-root user in Docker. There doesn't seem to be an agreed upon standard for what to name the non-root user, so I named it _app_, as I followed the general guidance from [this MS blog post](https://devblogs.microsoft.com/dotnet/securing-containers-with-rootless/). A `BWS_CONFIG_FILE` environment variable was added to `bws` as well to make it easier to avoid guessing where the correct config file dir is if you are unaware of the _app_ user's name (and therefor, their home directory). ## Code changes - **crates/bws/Dockerfile:** Use a non-root user. - **crates/bws/README.md:** Document using the CLI with Docker. - **crates/bws/src/main.rs:** Add `BWS_CONFIG_FILE` environment variable. - **crates/bws/CHANGELOG.md:** Update changelog. ## Before you submit - Please add **unit tests** where it makes sense to do so --- crates/bws/CHANGELOG.md | 1 + crates/bws/Dockerfile | 9 ++++++++- crates/bws/README.md | 18 ++++++++++++++++++ crates/bws/src/main.rs | 2 ++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/crates/bws/CHANGELOG.md b/crates/bws/CHANGELOG.md index d5ba27061..2bb431485 100644 --- a/crates/bws/CHANGELOG.md +++ b/crates/bws/CHANGELOG.md @@ -10,6 +10,7 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ### Changed - Switched TLS backend to `rustls`, removing the dependency on `OpenSSL`. +- Add a `BWS_CONFIG_FILE` environment variable to specify the location of the config file (#571) ## [0.4.0] - 2023-12-21 diff --git a/crates/bws/Dockerfile b/crates/bws/Dockerfile index f50a3e7a6..4f16f8e6c 100644 --- a/crates/bws/Dockerfile +++ b/crates/bws/Dockerfile @@ -30,5 +30,12 @@ WORKDIR /usr/local/bin COPY --from=build /app/target/release/bws . COPY --from=build /etc/ssl/certs /etc/ssl/certs -ENTRYPOINT ["bws"] +# Create a non-root user +RUN useradd -ms /bin/bash app + +# Switch to the non-root user +USER app +WORKDIR /home/app + +ENTRYPOINT ["bws"] diff --git a/crates/bws/README.md b/crates/bws/README.md index 11ea23814..cb9c268fb 100644 --- a/crates/bws/README.md +++ b/crates/bws/README.md @@ -44,3 +44,21 @@ echo 'source <(/path/to/bws completions bash)' >> ~/.bashrc For more detailed documentation, please refer to the [Secrets Manager CLI help article](https://bitwarden.com/help/secrets-manager-cli/). + +## Docker + +We also provide a docker image preloaded with the `bws` cli. + +```bash +# From the root of the repository +docker build -f crates/bws/Dockerfile -t bitwarden/bws . + +docker run --rm -it bitwarden/bws --help +``` + +To use a configuration file, utilize docker +[bind mounting](https://docs.docker.com/storage/bind-mounts/) to expose it to the container: + +```bash +docker run --rm -it -v "$HOME"/.bws:/home/app/.bws bitwarden/bws --help +``` diff --git a/crates/bws/src/main.rs b/crates/bws/src/main.rs index e55df5082..cb130b52c 100644 --- a/crates/bws/src/main.rs +++ b/crates/bws/src/main.rs @@ -47,6 +47,7 @@ struct Cli { short = 'f', long, global = true, + env = CONFIG_FILE_KEY_VAR_NAME, help = format!("[default: ~/{}/{}] Config file to use", config::DIRECTORY, config::FILENAME) )] config_file: Option, @@ -228,6 +229,7 @@ async fn main() -> Result<()> { } const ACCESS_TOKEN_KEY_VAR_NAME: &str = "BWS_ACCESS_TOKEN"; +const CONFIG_FILE_KEY_VAR_NAME: &str = "BWS_CONFIG_FILE"; const PROFILE_KEY_VAR_NAME: &str = "BWS_PROFILE"; const SERVER_URL_KEY_VAR_NAME: &str = "BWS_SERVER_URL";