From 3227437f52d7eff428495b13b75d9acfa95b317d Mon Sep 17 00:00:00 2001
From: quelsan <52572277+quelsan@users.noreply.github.com>
Date: Mon, 7 Oct 2019 05:18:06 +0200
Subject: [PATCH] Improved Dockerfile and run script (#1579)

The Dockerfile has also been rebuilt to use an unprivileged user instead
of root.

The run script adds more options and changes the method the
configuration is overwritten, which may help in situations where the
configuration is not owned by the unprivileged user.
---
 Dockerfile    | 47 ++++++++++++++++++++++++++++++-----------------
 docker/run.sh | 26 +++++++++++++++++---------
 2 files changed, 47 insertions(+), 26 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7f517c78..36f12874 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,30 +1,43 @@
-# setup build image
-FROM golang:1.11 AS build
+# Minify client side assets (JavaScript)
+FROM node:latest AS build-js
 
-# build Gophish binary
-WORKDIR /build/gophish
+RUN npm install gulp gulp-cli -g
+
+WORKDIR /build
 COPY . .
-RUN go get -d -v ./...
-RUN go build
+RUN npm install --only=dev
+RUN gulp
 
 
-# setup run image
+# Build Golang binary
+FROM golang:1.11 AS build-golang
+
+WORKDIR /go/src/github.com/gophish/gophish
+COPY . .
+RUN go get -v && go build -v
+
+
+# Runtime container
 FROM debian:stable-slim
 
+RUN useradd -m -d /opt/gophish -s /bin/bash app
+
 RUN apt-get update && \
-    apt-get install --no-install-recommends -y \
-    jq && \
-    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+	apt-get install --no-install-recommends -y jq && \
+	apt-get clean && \
+	rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# copy Gophish assets from the build image
-WORKDIR /gophish
-COPY --from=build /build/gophish/ /gophish/
-RUN chmod +x gophish
+WORKDIR /opt/gophish
+COPY --from=build-golang /go/src/github.com/gophish/gophish/ ./
+COPY --from=build-js /build/static/js/dist/ ./static/js/dist/
+COPY --from=build-js /build/static/css/dist/ ./static/css/dist/
+COPY --from=build-golang /go/src/github.com/gophish/gophish/config.json ./
+RUN chown app. config.json
 
-# expose the admin port to the host
+USER app
 RUN sed -i 's/127.0.0.1/0.0.0.0/g' config.json
+RUN touch config.json.tmp
 
-# expose default ports
-EXPOSE 80 443 3333
+EXPOSE 3333 8080 8443
 
 CMD ["./docker/run.sh"]
diff --git a/docker/run.sh b/docker/run.sh
index 07e072d8..17cceb5d 100755
--- a/docker/run.sh
+++ b/docker/run.sh
@@ -5,25 +5,25 @@ if [ -n "${ADMIN_LISTEN_URL+set}" ] ; then
     jq -r \
         --arg ADMIN_LISTEN_URL "${ADMIN_LISTEN_URL}" \
         '.admin_server.listen_url = $ADMIN_LISTEN_URL' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 if [ -n "${ADMIN_USE_TLS+set}" ] ; then
     jq -r \
         --argjson ADMIN_USE_TLS "${ADMIN_USE_TLS}" \
         '.admin_server.use_tls = $ADMIN_USE_TLS' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 if [ -n "${ADMIN_CERT_PATH+set}" ] ; then
     jq -r \
         --arg ADMIN_CERT_PATH "${ADMIN_CERT_PATH}" \
         '.admin_server.cert_path = $ADMIN_CERT_PATH' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 if [ -n "${ADMIN_KEY_PATH+set}" ] ; then
     jq -r \
         --arg ADMIN_KEY_PATH "${ADMIN_KEY_PATH}" \
         '.admin_server.key_path = $ADMIN_KEY_PATH' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 
 # set config for phish_server
@@ -31,25 +31,25 @@ if [ -n "${PHISH_LISTEN_URL+set}" ] ; then
     jq -r \
         --arg PHISH_LISTEN_URL "${PHISH_LISTEN_URL}" \
         '.phish_server.listen_url = $PHISH_LISTEN_URL' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 if [ -n "${PHISH_USE_TLS+set}" ] ; then
     jq -r \
         --argjson PHISH_USE_TLS "${PHISH_USE_TLS}" \
         '.phish_server.use_tls = $PHISH_USE_TLS' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 if [ -n "${PHISH_CERT_PATH+set}" ] ; then
     jq -r \
         --arg PHISH_CERT_PATH "${PHISH_CERT_PATH}" \
         '.phish_server.cert_path = $PHISH_CERT_PATH' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 if [ -n "${PHISH_KEY_PATH+set}" ] ; then
     jq -r \
         --arg PHISH_KEY_PATH "${PHISH_KEY_PATH}" \
         '.phish_server.key_path = $PHISH_KEY_PATH' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 
 # set contact_address
@@ -57,9 +57,17 @@ if [ -n "${CONTACT_ADDRESS+set}" ] ; then
     jq -r \
         --arg CONTACT_ADDRESS "${CONTACT_ADDRESS}" \
         '.contact_address = $CONTACT_ADDRESS' config.json > config.json.tmp && \
-        mv config.json.tmp config.json
+        cat config.json.tmp > config.json
 fi
 
+if [ -n "${DB_FILE_PATH+set}" ] ; then
+    jq -r \
+        --arg DB_FILE_PATH "${DB_FILE_PATH}" \
+        '.db_path = $DB_FILE_PATH' config.json > config.json.tmp && \
+        cat config.json.tmp > config.json
+fi
+
+echo "Runtime configuration: "
 cat config.json
 
 # start gophish