Merge branch 'feature/PB-50003_Passbolt-container-doesnt-start-when-JWT-keys-are-mounted-as-a-read-only-secret' into 'master'

PB-50003: allow failure of the JWT keypair permissions adjustment

See merge request passbolt/passbolt_docker!248

Author: LouisVallat

scripts/entrypoint/passbolt/entrypoint-openshift.sh

@@ -90,9 +90,16 @@ function jwt_keys_creation() {
   if [[ ! -f "$passbolt_config/jwt/jwt.key" || ! -f "$passbolt_config/jwt/jwt.pem" ]]; then
     mkdir -p "$passbolt_config/jwt"
     chmod 770 "$passbolt_config/jwt"
-
     /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys
+  fi
+}
 
+function jwt_keys_permissions_adjustments() {
+    if [[ "${PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED}" == "false" ]]; then
+    return 0
+  fi
+
+  if [[ -f "$passbolt_config/jwt/jwt.key" && -f "$passbolt_config/jwt/jwt.pem" ]]; then
     chmod 640 "$passbolt_config/jwt/jwt.key"
     chown www-data:0 "$passbolt_config/jwt/jwt.key"
     chmod 640 "$passbolt_config/jwt/jwt.pem"
@@ -112,8 +119,8 @@ function install() {
   fi
 
   import_subscription || true
-
   jwt_keys_creation
+  jwt_keys_permissions_adjustments || echo "[WARN] An attempt to adjust the JWT keypair permission failed. This may be expected if you mount your own keypair as read-only and may be fine as long as the Passbolt server can read said keypair. You can use the health-check command to find any issue with your instance: https://www.passbolt.com/docs/hosting/troubleshooting/logs/#api" >&2
   install_command || migrate_command && echo "Enjoy! ☮"
   check_fullbase_url
 }

scripts/entrypoint/passbolt/entrypoint-rootless.sh

@@ -90,9 +90,16 @@ function jwt_keys_creation() {
   if [[ ! -f "$passbolt_config/jwt/jwt.key" || ! -f "$passbolt_config/jwt/jwt.pem" ]]; then
     mkdir -p "$passbolt_config/jwt"
     chmod 770 "$passbolt_config/jwt"
-
     /usr/share/php/passbolt/bin/cake passbolt create_jwt_keys
+  fi
+}
+
+function jwt_keys_permissions_adjustments() {
+  if [[ "${PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED}" == "false" ]]; then
+    return 0
+  fi
 
+  if [[ -f "$passbolt_config/jwt/jwt.key" && -f "$passbolt_config/jwt/jwt.pem" ]]; then
     chmod 640 "$passbolt_config/jwt/jwt.key"
     chmod 640 "$passbolt_config/jwt/jwt.pem"
     chmod 750 "$passbolt_config/jwt"
@@ -111,6 +118,7 @@ function install() {
 
   import_subscription || true
   jwt_keys_creation
+  jwt_keys_permissions_adjustments || echo "[WARN] An attempt to adjust the JWT keypair permission failed. This may be expected if you mount your own keypair as read-only and may be fine as long as the Passbolt server can read said keypair. You can use the health-check command to find any issue with your instance: https://www.passbolt.com/docs/hosting/troubleshooting/logs/#api" >&2
   install_command || migrate_command && echo "Enjoy! ☮"
   check_fullbase_url
 }

scripts/entrypoint/passbolt/entrypoint.sh

@@ -95,6 +95,12 @@ function jwt_keys_creation() {
     chown www-data:www-data "$passbolt_config/jwt"
     su -c '/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys' -s /bin/bash www-data
   fi
+}
+
+function jwt_keys_permissions_adjustments() {
+  if [[ "${PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED}" == "false" ]]; then
+    return 0
+  fi
 
   if [[ -f "$passbolt_config/jwt/jwt.key" && -f "$passbolt_config/jwt/jwt.pem" ]]; then
     chmod 640 "$passbolt_config/jwt/jwt.key"
@@ -118,6 +124,7 @@ function install() {
 
   import_subscription || true
   jwt_keys_creation
+  jwt_keys_permissions_adjustments || echo "[WARN] An attempt to adjust the JWT keypair permission failed. This may be expected if you mount your own keypair as read-only and may be fine as long as the Passbolt server can read said keypair. You can use the health-check command to find any issue with your instance: https://www.passbolt.com/docs/hosting/troubleshooting/logs/#api" >&2
   install_command || migrate_command && echo "Enjoy! ☮"
   check_fullbase_url
 }