feat(init): first commit

files/alpine/sp-oidc/base/Dockerfile

@@ -0,0 +1,14 @@
+FROM reg.cadoles.com/proxy_cache/library/alpine:edge
+#FROM reg.cadoles.com/proxy_cache/library/httpd:alpine3.18
+
+# Adding testing repo
+RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
+
+RUN apk update && apk add apache-mod-auth-openidc
+
+COPY files/alpine/sp-oidc/base/conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
+COPY files/alpine/sp-oidc/base/conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
+COPY files/alpine/sp-oidc/base/scripts/httpd-foreground /usr/local/bin/
+
+
+CMD ["httpd-foreground"]

files/alpine/sp-oidc/base/conf.d/Dockerfile

@@ -0,0 +1,14 @@
+FROM reg.cadoles.com/proxy_cache/library/alpine:edge
+#FROM reg.cadoles.com/proxy_cache/library/httpd:alpine3.18
+
+# Adding testing repo
+RUN echo "https://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories
+
+RUN apk update && apk add apache-mod-auth-openidc
+
+COPY conf.d/mod-auth-openidc.conf /etc/apache2/conf.d/mod-auth-openidc.conf
+COPY conf.d/default-vhost.conf /etc/apache2/conf.d/default-vhost.conf
+COPY scripts/httpd-foreground /usr/local/bin/
+
+CMD ["httpd-foreground"]
+

files/alpine/sp-oidc/base/conf.d/default-vhost.conf

@@ -0,0 +1,29 @@
+<VirtualHost _default_:80>
+  ServerName ${SP_SERVER_NAME}:80
+
+  DocumentRoot /var/www/html
+
+  CustomLog /proc/self/fd/1 common
+
+  ErrorDocument 400 /error/
+  ErrorDocument 401 /error/
+  ErrorDocument 403 /error/
+  ErrorDocument 404 /error/
+  ErrorDocument 500 /error/
+  ErrorDocument 502 /error/
+  ErrorDocument 503 /error/
+  ErrorDocument 504 /error/
+
+  <FilesMatch "\.(cgi|shtml|phtml|php)$">
+      SSLOptions +StdEnvVars
+  </FilesMatch>
+  <Directory /usr/lib/cgi-bin>
+      SSLOptions +StdEnvVars
+  </Directory>
+
+  <Location /error>
+    AllowOverride All
+    Options +Indexes
+    Require all granted
+  </Location>
+</VirtualHost>

files/alpine/sp-oidc/base/conf.d/mod-auth-openidc.conf

@@ -0,0 +1,14 @@
+LoadModule auth_openidc_module modules/mod_auth_openidc.so
+
+OIDCProviderMetadataURL ${SP_OIDC_PROVIDER_METADATA_URL} #http://portal.mse.local:8000/auth/.well-known/openid-configuration
+OIDCClientID ${SP_OIDC_CLIENT_NAME} #mse
+OIDCClientSecret ${SP_OIDC_CLIENT_SERCRET} #$mse&123456$
+OIDCProviderTokenEndpointAuth client_secret_basic
+OIDCCookieSameSite On
+OIDCSessionType client-cookie
+OIDCXForwardedHeaders X-Forwarded-Host
+# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
+OIDCRedirectURI  ${SP_OIDC_REDIRECT_URI} #http://portal.mse.local:8000/protected/redirect_uri
+OIDCCryptoPassphrase ${SP_OIDC_CRYPTO_PASSPHRASE} #$mse&123456$
+OIDCOAuthAcceptTokenAs header
+OIDCUnAutzAction 302 ${SP_OIDC_ERROR_URI} #http://portal.mse.local:8000/erreur?msg=mod_auth_fail

files/alpine/sp-oidc/base/conf.d/scripts/httpd-foreground

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /run/apache2/httpd.pid
+
+exec httpd -DFOREGROUND "$@"

files/alpine/sp-oidc/base/conf.d/test_alpine-sp-oidc.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]:-$0}"; )" &> /dev/null && pwd 2> /dev/null; )";
+
+source "$SCRIPT_DIR/lib.sh"
+
+# Test reg.cadoles.com/cadoles/symfony:alpine-php-7.4-standalone with Symfony 4.4
+test_alpine_sp_oidc() {
+    # FIXME 
+    
+    local container_name=$(run_symfony_app_container "4.4" "7.4" "alpine-php-7.4-standalone")
+    local image_name=$(docker inspect -f '{{.Config.Image}}' ${container_name})
+
+    trap_add "docker kill ${container_name}" EXIT
+    trap_add "docker rmi -f ${image_name}" EXIT
+    
+    local app_url="http://$(docker port ${container_name} 8080/tcp)"
+
+    # Check that application is responding as expected
+    local page_content=$(curl -s "${app_url}" | pandoc -f html -t plain)
+
+    assert_matches 'Welcome to Symfony 4\.4\.*' "${page_content}" "Could not find Symfony default welcome message !"
+}

files/alpine/sp-oidc/base/scripts/httpd-foreground

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+# Apache gets grumpy about PID files pre-existing
+rm -f /run/apache2/httpd.pid
+
+exec httpd -DFOREGROUND "$@"

files/common/healthcheck/check-multiple.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -eu
+
+for CHECK in $@; do
+    /bin/sh "/usr/local/share/cadoles-symfony/healthcheck/check-${CHECK}.sh"
+done

files/common/healthcheck/check-nginx.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+wget --quiet --tries=1 --spider 127.0.0.1:8090/healthcheck || exit 1;

files/common/healthcheck/check-php-fpm.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -eu
+
+# TODO

files/common/nginx/conf.d/app.conf.gotmpl

@@ -0,0 +1,89 @@
+upstream backend {
+    server {{ env.Getenv "NGINX_APP_UPSTREAM_BACKEND_SERVER" "unix:/tmp/php-fpm.sock" }};
+    keepalive {{ env.Getenv "NGINX_APP_UPSTREAM_BACKEND_KEEPALIVE" "40" }};
+    # Must be less than php-fpm.conf:pm.max_requests
+    keepalive_requests {{ env.Getenv "NGINX_APP_UPSTREAM_BACKEND_KEEPALIVE_REQUESTS" "250" }};
+    keepalive_timeout {{ env.Getenv "NGINX_APP_UPSTREAM_BACKEND_KEEPALIVE_TIMEOUT" "10" }};
+}
+
+server {
+    listen {{ env.Getenv "NGINX_APP_SERVER_LISTEN" "8080" }} default_server;
+
+    server_name {{ env.Getenv "NGINX_APP_SERVER_NAME" "_" }};
+    set $base /app;
+    root $base{{ env.Getenv "NGINX_APP_ROOT" "/public"}};
+
+    # deny all dot files except .well-known
+    location ~ /\.(?!well-known) {
+        deny all;
+    }
+
+    # index.php
+    index index.php;
+
+
+    # index.php fallback
+    location / {
+        # try to serve file directly, fallback to index.php
+        try_files $uri {{ env.Getenv "NGINX_APP_PHP_INDEX" "/index.php"}}$is_args$args;
+    }
+
+    # Disable falling back to PHP script for the asset directories;
+    location ~ ^/({{ env.Getenv "NGINX_APP_ASSETS_DIRECTORIES" "public|bundles|web"}})/ {
+        try_files $uri =404;
+    }
+
+    # handle non-files
+    location ~ {{ env.Getenv "NGINX_APP_PHP_NON_FILE_PATTERN" "^/index\\.php(/|$)" }} {
+        # default fastcgi_params
+        include fastcgi_params;
+
+        # fastcgi settings
+        fastcgi_pass backend;
+        fastcgi_index index.php;
+        fastcgi_buffers 8 16k;
+        fastcgi_buffer_size 32k;
+        fastcgi_split_path_info ^(.+\.php)(/.*)$;
+
+        # fastcgi params
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        fastcgi_param SCRIPT_FILENAME	$realpath_root$fastcgi_script_name;
+        fastcgi_param PHP_ADMIN_VALUE	"open_basedir=none";
+
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/index.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    # return 404 for all other php files not matching the front controller
+    # this prevents access to other php files you don't want to be accessible.
+    location ~ \.php$ {
+        return 404;
+    }
+
+    # favicon.ico
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+
+    # robots.txt
+    location = /robots.txt {
+        log_not_found off;
+        access_log off;
+    }
+
+    # assets, media
+    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
+        expires 7d;
+        access_log off;
+    }
+
+    # svg, fonts
+    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
+        add_header Access-Control-Allow-Origin "*";
+        expires 7d;
+        access_log off;
+    }
+}

files/common/nginx/conf.d/compression.conf.gotmpl

@@ -0,0 +1,10 @@
+# Compression
+gzip on;
+gzip_disable "msie6";
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_buffers 32 16k;
+gzip_http_version 1.1;
+gzip_min_length 250;
+gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;

files/common/nginx/conf.d/healthcheck.conf.gotmpl

@@ -0,0 +1,9 @@
+server {
+	listen 8090;
+	location /healthcheck {
+		stub_status;
+		access_log off;
+		allow 127.0.0.1;
+		deny all;
+	}
+}

files/common/nginx/conf.d/log.conf.gotmpl

@@ -0,0 +1,3 @@
+# logging
+access_log /dev/stdout;
+error_log stderr {{ env.Getenv "NGINX_ERROR_LOG_LEVEL" "warn" }};

files/common/nginx/conf.d/mime.conf.gotmpl

@@ -0,0 +1,3 @@
+# MIME
+include mime.types;
+default_type application/octet-stream;

files/common/nginx/conf.d/non-root.conf.gotmpl

@@ -0,0 +1,6 @@
+# Non Root Temp Paths
+client_body_temp_path /tmp/client_temp;
+proxy_temp_path       /tmp/proxy_temp_path;
+fastcgi_temp_path     /tmp/fastcgi_temp;
+uwsgi_temp_path       /tmp/uwsgi_temp;
+scgi_temp_path        /tmp/scgi_temp;

files/common/nginx/conf.d/x-forward.conf.gotmpl

@@ -0,0 +1,4 @@
+# Replace loadbalancer IP(real-ip) with actual client IP.
+set_real_ip_from 0.0.0.0/0;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;

files/common/nginx/nginx.conf.gotmpl

@@ -0,0 +1,50 @@
+# user www-data;
+pid /tmp/nginx.pid;
+worker_processes auto;
+daemon off;
+
+events {
+    worker_connections {{ env.Getenv "NGINX_EVENTS_WORKER_CONNECTIONS" "1024" }};
+}
+
+http {
+    charset {{ env.Getenv "NGINX_CHARSET" "utf-8" }};
+
+    # copies data between one FD and other from within the kernel
+    # faster than read() + write()
+    sendfile {{ env.Getenv "NGINX_SENDFILE" "on" }};
+
+    # send headers in one piece, it is better than sending them one by one
+    tcp_nopush {{ env.Getenv "NGINX_TCP_NOPUSH" "on" }};
+
+    # don't buffer data sent, good for small data bursts in real time
+    tcp_nodelay {{ env.Getenv "NGINX_TCP_NODELAY" "on" }};
+
+    # allow the server to close connection on non responding client, this will free up memory
+    reset_timedout_connection {{ env.Getenv "NGINX_RESET_TIMEDOUT_CONNECTION" "on" }};
+
+    # hide server info for security
+    server_tokens {{ env.Getenv "NGINX_SERVER_TOKENS" "off" }};
+
+    log_not_found {{ env.Getenv "NGINX_LOG_NOT_FOUND" "off" }};
+    types_hash_max_size 2048;
+
+    # if the request body size is more than the buffer size, then the entire (or partial)
+    # request body is written into a temporary file
+    client_body_buffer_size 128k;
+
+    # maximum body size
+    client_max_body_size {{ env.Getenv "NGINX_CLIENT_MAX_BODY_SIZE" "16M" }};
+
+    # maximum number and size of buffers for large headers to read from client request
+    large_client_header_buffers 4 256k;
+
+    # cache information about FDs, frequently accessed files
+    open_file_cache max=200000 inactive=20s;
+    open_file_cache_valid 60s;
+    open_file_cache_min_uses 5;
+    open_file_cache_errors off;
+
+    # load configs
+    include /etc/nginx/conf.d/*.conf;
+}

files/common/nvm/nvm-wrapper.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+export NVM_NODEJS_ORG_MIRROR=https://unofficial-builds.nodejs.org/download/release
+
+NVM_DIR="$HOME/.nvm"
+source "$NVM_DIR/nvm.sh"
+
+nvm_get_arch() { nvm_echo "x64-musl"; }
+
+nvm $@

files/common/scripts/install-dependencies.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+
+set -eo pipefail
+
+main() {
+    if [ "${INSTALL_DEPENDENCIES}" == "0" ]; then
+        echo "Dependencies installation disabled. Doing nothing."
+        exit
+    fi
+
+    install_additional_packages
+}
+
+# Return 3 for unknown distribution
+install_additional_packages() {
+    if [ -z "${ADDITIONAL_PACKAGES}" ]; then
+        return
+    fi
+
+    echo "Installing additional packages '${ADDITIONAL_PACKAGES}'..."
+
+    if [ -f "/etc/debian_version" ]; then
+        export DEBIAN_FRONTEND=noninteractive
+        apt-get update -y
+        apt-get install -y ${ADDITIONAL_PACKAGES}
+    elif [ -f "/etc/alpine-release" ]; then
+        apk update
+        apk add --no-cache ${ADDITIONAL_PACKAGES}
+    else
+        return 3
+    fi
+}
+
+main

files/common/scripts/run.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -eo pipefail
+
+main() {
+    echo "Generating filesystem templates..."
+    generate_templates
+    exec $@
+}
+
+generate_templates() {
+    # Find *.gotmpl files and generate associated configuration files
+    local template_files=$(find / -type f -name '*.gotmpl')
+    
+    for tmpl in $template_files; do
+        local dest_file=${tmpl%".gotmpl"}
+        echo "Generating file '$dest_file'..."
+        gomplate -f "$tmpl" > "$dest_file"
+        chmod $(stat -c '%a' "$tmpl") "$dest_file"
+        chown $(stat -c '%u:%g' "$tmpl") "$dest_file"
+    done
+}
+
+main $@

files/debian/sp-shib/base/Dockerfile

@@ -0,0 +1,27 @@
+FROM reg.cadoles.com/proxy_cache/library/debian:stable-slim
+
+
+RUN export DEBIAN_FRONTEND=noninteractive && \
+  apt-get update -y && \
+  apt-get install -y libapache2-mod-shib php-fpm
+
+RUN a2enmod rewrite expires headers remoteip ssl \
+            proxy proxy_fcgi proxy_http proxy_balancer \
+            lbmethod_bybusyness lbmethod_byrequests lbmethod_bytraffic lbmethod_heartbeat
+
+EXPOSE 80
+
+COPY files/common/healthcheck /usr/local/share/cadoles/healthcheck
+COPY files/common/scripts /usr/local/share/cadoles/scripts
+
+SHELL ["/bin/bash", "-c"]
+CMD ["/bin/bash"]
+
+# ========= Child image build triggers ==========
+
+ONBUILD COPY . /app
+ONBUILD ARG ADDITIONAL_PACKAGES
+ONBUILD ARG INSTALL_DEPENDENCIES
+ONBUILD ARG INSTALL_COMPOSER_DEPENDENCIES
+ONBUILD ARG INSTALL_NPM_DEPENDENCIES
+ONBUILD RUN . /usr/local/share/cadoles/scripts/install-dependencies.sh