From 8f6db5baff9e4f53fbf06b3053cb63448ddd6c60 Mon Sep 17 00:00:00 2001
From: Henry Oswald <henry.oswald@sharelatex.com>
Date: Mon, 26 Feb 2018 11:56:19 +0000
Subject: [PATCH] tests pass under app user

---
 Dockerfile            | 25 ++++++++++++++++++-------
 Jenkinsfile           | 36 +++---------------------------------
 Makefile              |  5 +++++
 docker-compose.ci.yml | 10 ++--------
 docker-compose.yml    |  2 +-
 install_deps.sh       |  6 +++++-
 6 files changed, 34 insertions(+), 50 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e195f96..881852d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:6.13.0
+FROM node:6.13.0 as app
 
 COPY ./ /app
 
@@ -6,11 +6,22 @@ WORKDIR /app
 
 RUN npm install
 
+
+RUN npm run compile:all
+
+FROM node:6.13.0
+
+COPY --from=app /app /app
+
+WORKDIR /app
+
+
+# All app and node_modules will be owned by root.
+# The app will run as the 'app' user, and so not have write permissions
+# on any files it doesn't need.
+RUN useradd --user-group --create-home --home-dir /app --shell /bin/bash app
+
 RUN [ -e ./install_deps.sh ] && ./install_deps.sh
 
-RUN npm run compile
-
-ENV SHARELATEX_CONFIG /app/config/settings.production.coffee
-ENV NODE_ENV production
-
-CMD ["node","/app/app.js"]
+USER app
+CMD ["node","app.js"]
diff --git a/Jenkinsfile b/Jenkinsfile
index 326dce5..bc9ba01 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -9,34 +9,9 @@ pipeline {
   }
 
   stages {
-    stage('Install') {
-      agent {
-        docker {
-          image 'node:6.13.0'
-          args "-v /var/lib/jenkins/.npm:/tmp/.npm -e HOME=/tmp"
-          reuseNode true
-        }
-      }
+    stage('Build') {
       steps {
-        // we need to disable logallrefupdates, else git clones 
-        // during the npm install will require git to lookup the 
-        // user id which does not exist in the container's 
-        // /etc/passwd file, causing the clone to fail.
-        sh 'git config --global core.logallrefupdates false'
-        sh 'rm -rf node_modules'
-        sh 'npm install && npm rebuild'
-      }
-    }
-
-    stage('Compile') {
-      agent {
-        docker {
-          image 'node:6.13.0'
-          reuseNode true
-        }
-      }
-      steps {
-        sh 'npm run compile:all'
+        sh 'make build'
       }
     }
 
@@ -54,12 +29,7 @@ pipeline {
 
     stage('Package and publish build') {
       steps {
-        sh 'echo ${BUILD_NUMBER} > build_number.txt'
-        sh 'touch build.tar.gz' // Avoid tar warning about files changing during read
-        sh 'tar -czf build.tar.gz --exclude=build.tar.gz --exclude-vcs .'
-        withAWS(credentials:'S3_CI_BUILDS_AWS_KEYS', region:"${S3_REGION_BUILD_ARTEFACTS}") {
-            s3Upload(file:'build.tar.gz', bucket:"${S3_BUCKET_BUILD_ARTEFACTS}", path:"${JOB_NAME}/${BUILD_NUMBER}.tar.gz")
-        }
+        sh 'make publish'
       }
     }
 
diff --git a/Makefile b/Makefile
index 89066f5..b20654c 100644
--- a/Makefile
+++ b/Makefile
@@ -28,5 +28,10 @@ test_acceptance: test_clean # clear the database before each acceptance test run
 
 test_clean:
 	$(DOCKER_COMPOSE) down -t 0
+build:
+	docker build --pull --tag quay.io/sharelatex/$(PROJECT_NAME):$(BRANCH_NAME)-$(BUILD_NUMBER) .
+
+publish:
+	docker push quay.io/sharelatex/$(PROJECT_NAME):$(BRANCH_NAME)-$(BUILD_NUMBER)
 
 .PHONY: clean test test_unit test_acceptance test_clean build publish
diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml
index 00740d4..cbe15fe 100644
--- a/docker-compose.ci.yml
+++ b/docker-compose.ci.yml
@@ -7,17 +7,11 @@ version: "2"
 
 services:
   test_unit:
-    image: node:6.13.0
-    volumes:
-      - .:/app
-    working_dir: /app
+    image: quay.io/sharelatex/$PROJECT_NAME:$BRANCH_NAME-$BUILD_NUMBER
     entrypoint: npm run test:unit:_run
 
   test_acceptance:
-    image: node:6.13.0
-    volumes:
-      - .:/app
-    working_dir: /app
+    image: quay.io/sharelatex/$PROJECT_NAME:$BRANCH_NAME-$BUILD_NUMBER
     environment:
       REDIS_HOST: redis
       MONGO_HOST: mongo
diff --git a/docker-compose.yml b/docker-compose.yml
index c259abc..cf90742 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -14,7 +14,7 @@ services:
     entrypoint: npm run test:unit
 
   test_acceptance:
-    image: node:6.13.0
+    build: .
     volumes:
       - .:/app
     working_dir: /app
diff --git a/install_deps.sh b/install_deps.sh
index 49bdc5c..3caa1c7 100755
--- a/install_deps.sh
+++ b/install_deps.sh
@@ -1,4 +1,8 @@
 /bin/sh
 wget -qO- https://get.docker.com/ | sh
-apt-get install poppler-utils vim ghostscript --yes
+apt-get install poppler-utils ghostscript --yes
 npm rebuild
+usermod -aG docker app
+
+touch /var/run/docker.sock
+chown root:docker /var/run/docker.sock