feat: add tmce plugin

Include the jar plugin as encrypted file inside the webapp container image. Add an entrypoint script that decrypts the jar when the container is started.
NethServer · Jan 23, 2025 · b6fafd3 · b6fafd3
1 parent 9acc953
commit b6fafd3
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 1 deletion.
diff --git a/.github/workflows/publish-images.yml b/.github/workflows/publish-images.yml
@@ -7,6 +7,11 @@ permissions:
   packages: write
 
 jobs:
+  set-env:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set TMCE_TOKEN environment variable
+        run: echo "TMCE_TOKEN=${{ secrets.WEBTOP_PR }}" >> $GITHUB_ENV
   publish-images:
     if: github.run_number > 1
     uses: NethServer/ns8-github-actions/.github/workflows/publish-branch.yml@v1

diff --git a/build-images.sh b/build-images.sh
@@ -11,6 +11,8 @@ images=()
 repobase="${REPOBASE:-ghcr.io/nethserver}"
 #Get WebTop version
 webtop_version=$(cat ${PWD}/webtop5-build/VERSION)
+# tmce plugin jar
+tmce_jar="webtop-tmceplugins-6.3.1.0.jar"
 
 # Download of external deps and CHECKSUM verification:
 if ! compgen -G "pecbridge-*.tar.gz"; then
@@ -63,6 +65,12 @@ pecbridge_tmp_dir=$(mktemp -d)
 cleanup_list+=("${pecbridge_tmp_dir}")
 tar -C "${pecbridge_tmp_dir}" -x -v -z -f pecbridge-*.tar.gz
 
+# Download tmce plugin if GITHUB_TOKEN is set
+if [ -n "${TMCE_TOKEN}" ]; then
+    curl -H "Authorization: token $TMCE_TOKEN" -H 'Accept: application/vnd.github.v3.raw' -o $tmce_jar -L \
+      https://api.github.com/repos/nethesis/webtop-tmceplugins/contents/$tmce_jar?ref=master
+fi
+
 #Create webtop-webapp container
 reponame="webtop-webapp"
 container=$(buildah from docker.io/library/tomcat:8-jre8)
@@ -75,6 +83,12 @@ buildah add ${container} ${PWD}/zfaker/wrappers/php /usr/share/webtop/bin/php
 buildah add ${container} ${PWD}/zfaker/wrappers/z-push-admin-wapper /usr/share/webtop/bin/z-push-admin-wrapper
 buildah add ${container} ${pecbridge_tmp_dir}/pecbridge /usr/share/pecbridge
 buildah add ${container} ${PWD}/webapp/ /
+if [ -f $tmce_jar ]; then
+    # Encrypt the jar with 'subscription' password using gpg
+    gpg --batch --yes --passphrase 'subscription' -c $tmce_jar
+    # Decrypt the jar with 'subscription' password using gpg
+    buildah add ${container} ${PWD}/$tmce_jar.gpg /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg
+fi
 # Commit the image
 buildah commit --rm "${container}" "${repobase}/${reponame}"
 
@@ -164,7 +178,7 @@ buildah run --env="NODE_OPTIONS=--openssl-legacy-provider" nodebuilder-webtop sh
 buildah add "${container}" imageroot /imageroot
 buildah add "${container}" ui/dist /ui
 # Setup the entrypoint, ask to reserve one TCP port with the label and set a rootless container
-buildah config --entrypoint=/ \
+buildah config --entrypoint=/entrypoint.sh \
     --label="org.nethserver.authorizations=traefik@node:routeadm mail@any:mailadm cluster:accountconsumer" \
     --label="org.nethserver.tcp-ports-demand=1" \
     --label="org.nethserver.rootfull=0" \

diff --git a/webapp/entrypoint.sh b/webapp/entrypoint.sh
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+# Enable tmce plugin only if subscription is enabled
+
+# Decrypt tmce plugins jar if subscription is enabled
+if [ "VALID_SUBSCRIPTION=true" ]; then
+    gpg --batch --yes --passphrase 'subscription' -d -o /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar  \
+        /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg
+fi