Improve security of Docker image

.gitignore

@@ -89,6 +89,12 @@ nb-configuration.xml
 .DS_Store
 
 
+##############################
+## Web
+##############################
+node_modules
+studio/src/main/resources/static
+
 ##############################
 ## WDK
 ##############################

Dockerfile

@@ -1,11 +1,15 @@
-FROM openjdk:17-alpine
+FROM amazoncorretto:17-alpine
 RUN jlink --no-header-files --no-man-pages --compress=2 --strip-java-debug-attributes --output /jre \
     --add-modules java.base,java.scripting,java.sql,jdk.unsupported,java.se,jdk.crypto.ec
 
 FROM alpine:3.18
 ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
 COPY --from=0 /jre /jre
 COPY artifact/*.jar /wdk.jar
+
 WORKDIR /symphony
+RUN addgroup -S symphony && adduser -S symphony -G symphony && chown -R symphony:symphony /symphony
+USER symphony
 
+EXPOSE 8080
 ENTRYPOINT [ "/jre/bin/java", "-jar", "/wdk.jar", "--spring.profiles.active=${PROFILE:default}" ]

studio/deployment/deployment.yml

@@ -24,7 +24,7 @@ spec:
         - envFrom:
             - secretRef:
                 name: wdk-studio-keys
-          image: ghcr.io/symphonyplatformsolutions/wdk-studio:2.1.11
+          image: finos/symphony-wdk-studio:latest
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 3
@@ -61,25 +61,24 @@ spec:
             runAsNonRoot: true
             allowPrivilegeEscalation: false
           volumeMounts:
-            - mountPath: /data/symphony/rsa
+            - mountPath: /symphony/rsa
               name: keys
-            - mountPath: /data/symphony/data
+            - mountPath: /symphony/data
               name: data
-            - mountPath: /data/symphony/lib
-              name: lib
-            - mountPath: /data/symphony/application-prod.yaml
+            - mountPath: /symphony/application-prod.yaml
               name: config
               subPath: application-prod.yaml
+      securityContext:
+        fsGroup: 101
+        runAsGroup: 101
+        runAsUser: 100
       volumes:
         - configMap:
             name: wdk-studio-config
           name: config
         - name: data
           persistentVolumeClaim:
             claimName: wdk-studio-data-pvc
-        - name: lib
-          persistentVolumeClaim:
-            claimName: wdk-studio-lib-pvc
         - name: keys
           secret:
             secretName: wdk-studio-keys

studio/deployment/persistent-volume-claims.yml

@@ -8,14 +8,3 @@ spec:
   resources:
     requests:
       storage: 1Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: wdk-studio-lib-pvc
-spec:
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 200Mi

studio/deployment/secrets.yml

@@ -1,10 +1,12 @@
 apiVersion: v1
 data:
+  ENCRYPT_PASSPHRASE:
   GITHUB_TOKEN:
   MANAGEMENT_TOKEN:
   MONITORING_TOKEN:
   app-privatekey.pem:
   bot-privatekey.pem:
+  connect-privatekey.pem:
 kind: Secret
 metadata:
   name: wdk-studio-keys

studio/readme.md

@@ -15,15 +15,20 @@ of Symphony's Workflow Developer Kit right into the Symphony interface.
     - The `encrypt.passphrase` value should be a random string at least 16 characters long
     - The `github-token` can be created on [GitHub](https://github.com/settings/tokens) using `Tokens (classic)` and the `public_repo` scope
     - The `admins` field is a comma-separated list of Symphony User IDs who will be granted rights within WDK Studio to reassign workflow ownership
+    - Include the `bdk.federation` section only if Federation APIs should be enabled (an activated federation key pair is required)
    ```yaml
    bdk:
      host: develop2.symphony.com
      bot:
        username: my-bot-username
-       privateKey.path: privatekey.pem
+       privateKey.path: rsa/bot-privatekey.pem
      app:
        appId: my-app-id
-       privateKey.path: privatekey.pem
+       privateKey.path: rsa/app-privatekey.pem
+     federation:
+       uri: https://connect.uat.symphony.com/admin
+       privateKey.path: rsa/connect-privatekey.pem
+       publicKeyName: my-connect-public-key-name
    wdk:
      encrypt.passphrase: random_string_min_16_chars
      properties:
@@ -33,18 +38,27 @@ of Symphony's Workflow Developer Kit right into the Symphony interface.
        github-token: github_token
        admins: 1234567,2345678
    ```
-
+2. Create the following file structure:
+   ```shell
+    .
+   ├──  application-prod.yaml
+   ├──  data
+   └──  rsa
+   ├──  app-privatekey.pem
+   ├──  bot-privatekey.pem
+   └──  connect-privatekey.pem
+   ```
 2. Save the private keys in the same directory and an empty `data` directory
 3. Launch docker and mount the files as appropriate
-    ```shell
+   ```shell
     docker run --rm \
         --name wdk-studio \
         -p 8080:8080 \
         --mount type=bind,source="$(pwd)"/application-prod.yaml,target=/symphony/application-prod.yaml,readonly \
-        --mount type=bind,source="$(pwd)"/privatekey.pem,target=/symphony/privatekey.pem,readonly \
-        -v $(pwd)/data:/symphony/data \
+        -v ./rsa:/symphony/rsa \
+        -v ./data:/symphony/data \
         finos/symphony-wdk-studio:latest
-    ```
+   ```
 4. This command exposes the deployment on the current host on port `8080`,
 which then needs to be fronted with an ingress controller or load balancer
 with a trusted TLS certificate. The resulting URL then needs to be defined in