[PM-4408] Update Dockerfile (#75)

* update dockerfile

* Update Dockerfile

* Update setup_secrets_windows.ps1

EoF new line

* Update global.json

updated version to .1xx

dev/setup_secrets_windows.ps1

@@ -0,0 +1,90 @@
+param (
+    [bool]$clear,
+    [Parameter(ValueFromRemainingArguments = $true, Position=1)]
+    $cmdArgs
+)
+
+# Try to Fetch Certificate
+$Certificate = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object { $_.Subject -like "*Bitwarden Key Connector*" } | Select-Object Thumbprint, Subject
+
+if ($($Certificate.Thumbprint)) {
+    Write-Host "## INFO --> Found Bitwarden Key Connector certificate : $($Certificate.Thumbprint)"
+}
+else {
+    Write-Host "## INFO --> Creating Bitwarden Key Connector certificate..."
+    try {
+        # Create Key Connector Certificate
+        New-SelfSignedCertificate -DnsName "Bitwarden Key Connector" -CertStoreLocation Cert:\LocalMachine\My -KeySpec Signature -KeyUsage DigitalSignature -KeyExportPolicy Exportable -Subject "CN=Bitwarden Key Connector" -NotBefore (Get-Date) -NotAfter (Get-Date).AddDays(36500)
+    }
+    catch {
+        Write-Host "## ERROR --> An exception occurred: $_.Exception.Message"
+        exit 1
+    }
+    Write-Host "## INFO --> Certificate created successfully"
+
+    # Fetch newly created certificate
+    $Certificate = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object { $_.Subject -like "*Bitwarden Key Connector*" } | Select-Object Thumbprint, Subject
+    
+    # Adding a check to make sure the certificate exists to ensure no error on creation
+    if ($null -eq $($Certificate.Thumbprint) -or "" -eq $($Certificate.Thumbprint)) {
+        Write-Host "## INFO: Certificate not found"
+        exit 1
+    }
+}
+
+# Prompt the user for input (e.g., password)
+$password = Read-Host "## INPUT --> Enter password for private key"
+if ($null -ne $password -and "" -ne $password) {
+    $SecureStringPassword = ConvertTo-SecureString -String $password -AsPlainText -Force
+    Export-PfxCertificate -Cert cert:\LocalMachine\My\$($Certificate.Thumbprint) -FilePath .\bwkc.pfx -Password $SecureStringPassword | Out-Null
+}
+else {
+    Write-Host "## ERROR: Password cannot be null or empty"
+    exit 1
+}
+
+$pathToPFX = (Get-Item -Path ".\bwkc.pfx").FullName
+Write-Host "## INFO --> Exported certificate to $pathToPFX"
+
+# read secrets.json
+Write-Host "## INFO --> creating secrets.json from secrets.json.example"
+$secrets = Get-Content .\secrets.json.example | ConvertFrom-Json
+
+# set PFX password
+$secrets.keyConnectorSettings.certificate.filesystemPassword = $password
+Write-Host "## INFO --> Certificate password set successfully in secrets.json"
+
+# set PFX path
+$secrets.keyConnectorSettings.certificate.filesystemPath = $pathToPFX
+Write-Host "## INFO --> Path to bwkc.pfx set successfully in secrets.json"
+
+# set database.json path
+$pathToDatabase = $pathToPFX.Replace("bwkc.pfx", "database.json")
+$secrets.keyConnectorSettings.database.jsonFilePath = $pathToDatabase
+Write-Host "## INFO --> Path to database.json set successfully in secrets.json"
+
+# save secrets.json
+$secrets | ConvertTo-Json | Set-Content secrets.json
+
+# set secrets
+if (!(Test-Path "secrets.json")) {
+    Write-Warning "No secrets.json file found, please copy and modify the provided example";
+    exit;
+}
+
+if ($clear -eq $true) {
+    Write-Output "Deleting all existing user secrets"
+}
+
+$projects = @{
+    KeyConnector = "../src/KeyConnector"
+}
+
+Write-Host "## INFO --> Setting secrets for each project"
+foreach ($key in $projects.keys) {
+    if ($clear -eq $true) {
+        dotnet user-secrets clear -p $projects[$key]
+    }
+    $output = Get-Content secrets.json | & dotnet user-secrets set -p $projects[$key]
+    Write-Output "$output - $key"
+}

global.json

@@ -0,0 +1,6 @@
+{
+    "sdk": {
+      "version": "6.0.100",
+      "rollForward": "latestFeature"
+    }
+  }

src/KeyConnector/.dockerignore

@@ -2,3 +2,4 @@
 !obj/build-output/publish/*
 !obj/Docker/empty/
 !entrypoint.sh
+!prepare-env.sh

src/KeyConnector/Dockerfile

@@ -2,17 +2,16 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0
 
 LABEL com.bitwarden.product="bitwarden"
 
-RUN apt-get update \
+RUN apt-get update -y \
     && apt-get install -y --no-install-recommends \
-        gosu \
         curl \
         libc-dev \
         opensc \
     && rm -rf /var/lib/apt/lists/*
 
 # Install YubiHSM2 SDK
-ADD https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2021-08-debian10-amd64.tar.gz ./
+RUN curl -O https://developers.yubico.com/YubiHSM2/Releases/yubihsm2-sdk-2021-08-debian10-amd64.tar.gz \
-RUN tar -xzf yubihsm2-sdk-*.tar.gz \
+    && tar -xzf yubihsm2-sdk-*.tar.gz \
     && rm yubihsm2-sdk-*.tar.gz \
     && dpkg -i yubihsm2-sdk/libyubihsm-http1_*_amd64.deb \
     && dpkg -i yubihsm2-sdk/libyubihsm1_*_amd64.deb \
@@ -22,10 +21,18 @@ RUN tar -xzf yubihsm2-sdk-*.tar.gz \
 ENV ASPNETCORE_URLS http://+:5000
 WORKDIR /app
 EXPOSE 5000
+
 COPY obj/build-output/publish .
+
 COPY entrypoint.sh /
-RUN chmod +x /entrypoint.sh
+RUN chmod +x /entrypoint.sh 
+
+COPY prepare-env.sh /
+RUN chmod +x /prepare-env.sh && \
+    /prepare-env.sh
 
 HEALTHCHECK CMD curl -f http://localhost:5000/health || exit 1
 
+USER bitwarden
+
 ENTRYPOINT ["/entrypoint.sh"]

src/KeyConnector/build.ps1

@@ -0,0 +1,22 @@
+# Get the script directory
+$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Definition
+
+Write-Host ""
+Write-Host "## INFO --> Building Key Connector"
+
+$dotnetVersion = dotnet --version
+Write-Host ".NET Core version $dotnetVersion"
+
+Write-Host "Restore"
+dotnet restore "$ScriptDir/KeyConnector.csproj"
+
+Write-Host "Clean"
+dotnet clean "$ScriptDir/KeyConnector.csproj" -c "Release" -o "$ScriptDir/obj/build-output/publish"
+
+Write-Host "Publish"
+dotnet publish "$ScriptDir/KeyConnector.csproj" -c "Release" -o "$ScriptDir/obj/build-output/publish"
+
+Write-Host ""
+Write-Host "## INFO --> Building docker image"
+docker --version
+docker build -t bitwarden/key-connector "$ScriptDir\."

src/KeyConnector/entrypoint.sh

@@ -1,40 +1,6 @@
 #!/bin/bash
 
-# Setup
-
-GROUPNAME="bitwarden"
-USERNAME="bitwarden"
-
-LUID=${LOCAL_UID:-0}
-LGID=${LOCAL_GID:-0}
-
-# Step down from host root to well-known nobody/nogroup user
-
-if [ $LUID -eq 0 ]
-then
-    LUID=65534
-fi
-if [ $LGID -eq 0 ]
-then
-    LGID=65534
-fi
-
-# Create user and group
-
-groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
-groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
-useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
-usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
-mkhomedir_helper $USERNAME
-
-# The rest...
-
-chown -R $USERNAME:$GROUPNAME /app
-mkdir -p /etc/bitwarden/logs
-mkdir -p /etc/bitwarden/ca-certificates
-chown -R $USERNAME:$GROUPNAME /etc/bitwarden
-
 cp /etc/bitwarden/ca-certificates/*.crt /usr/local/share/ca-certificates/ >/dev/null 2>&1 \
     && update-ca-certificates
 
-exec gosu $USERNAME:$GROUPNAME dotnet /app/KeyConnector.dll
+dotnet /app/KeyConnector.dll

src/KeyConnector/prepare-env.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+# Setup
+GROUPNAME="bitwarden"
+USERNAME="bitwarden"
+
+LUID=${LOCAL_UID:-0}
+LGID=${LOCAL_GID:-0}
+
+# Step down from host root to well-known nobody/nogroup user
+if [ $LUID -eq 0 ]
+then
+    LUID=65534
+fi
+if [ $LGID -eq 0 ]
+then
+    LGID=65534
+fi
+
+# Create user and group
+groupadd -o -g $LGID $GROUPNAME >/dev/null 2>&1 ||
+groupmod -o -g $LGID $GROUPNAME >/dev/null 2>&1
+useradd -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1 ||
+usermod -o -u $LUID -g $GROUPNAME -s /bin/false $USERNAME >/dev/null 2>&1
+mkhomedir_helper $USERNAME
+
+# The rest...
+chown -R $USERNAME:$GROUPNAME /app
+mkdir -p /etc/bitwarden/logs
+mkdir -p /etc/bitwarden/ca-certificates
+chown -R $USERNAME:$GROUPNAME /etc/bitwarden