Get SAS running

Author: pantherman594

src/aou-sas/docker-compose.yaml

@@ -18,19 +18,17 @@ services:
       # SAS startup script — invoked via PRE_DEPLOY_SCRIPT before SAS
       # services start.  Must NOT mount at /tmp/pre_deploy.sh because
       # the entrypoint overwrites that path with the env var content.
-      - ./sas-startup.sh:/opt/sas/aou/sas-startup.sh:ro
-      # Fallback license mount for manual GCE testing without Mikey Secrets.
-      # With Mikey Secrets, the entrypoint wrapper populates /sasinside/ from
-      # the SAS_LICENSE_PATH file descriptor instead.
-      - ./sasinside:/sasinside
+      - ./sas-pre-deploy.sh:/opt/sas/aou/sas-pre-deploy.sh:ro
+      - ./sas-post-deploy.sh:/opt/sas/aou/sas-post-deploy.sh:ro
     tmpfs:
       - /data/workspace:uid=1002,gid=1100
     environment:
       HOST_AUTH: ""
       SAS_DEBUG: "0"
       SASLICENSEFILE: "SASLicense.jwt"
       GOMEMLIMIT: "20MiB"
-      PRE_DEPLOY_SCRIPT: "bash /opt/sas/aou/sas-startup.sh"
+      PRE_DEPLOY_SCRIPT: "bash /opt/sas/aou/sas-pre-deploy.sh"
+      POST_DEPLOY_SCRIPT: "bash /opt/sas/aou/sas-post-deploy.sh"
       JAVA_OPTION_SAS_COMMONS_WEB_SECURITY_CORS_ALLOWEDORIGINS: "-Dsas.commons.web.security.cors.allowedOrigins=*"
       JAVA_OPTION_SAS_COMMONS_WEB_SECURITY_CORS_ALLOWCREDENTIALS: "-Dsas.commons.web.security.cors.allowCredentials=false"
       JAVA_OPTION_SAS_COMMONS_WEB_SECURITY_CORS_ALLOWEDHEADERS: "-Dsas.commons.web.security.cors.allowedHeaders=*"

src/aou-sas/sas-entrypoint.sh

@@ -13,7 +13,7 @@ if [ -n "${SAS_LICENSE_PATH:-}" ]; then
   mkdir -p /sasinside
   cp "$SAS_LICENSE_PATH" /sasinside/SASLicense.jwt
   chmod 400 /sasinside/SASLicense.jwt
-  chown root:root /sasinside/SASLicense.jwt
+  chown sas:sas /sasinside/SASLicense.jwt
 fi
 
 exec /opt/sas/viya/home/bin/sas-analytics-pro-entrypoint.sh "$@"

src/aou-sas/sas-post-deploy.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+# sas-post-deploy.sh — Lock down the SAS license after it has been applied.
+#
+# Invoked via POST_DEPLOY_SCRIPT after SAS services start.  The license must
+# be readable by the sas user during application (PRE_DEPLOY), but afterward
+# we restrict it to root so the aou user cannot exfiltrate it via pipe commands.
+
+if [ -f /sasinside/SASLicense.jwt ]; then
+  chmod 400 /sasinside/SASLicense.jwt
+  chown root:root /sasinside/SASLicense.jwt
+fi

src/aou-sas/sas-startup.sh src/aou-sas/sas-pre-deploy.shsrc/aou-sas/sas-startup.sh renamed to src/aou-sas/sas-pre-deploy.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
-# sas-startup.sh — Runtime setup for SAS Analytics Pro on VWB GCE.
+# sas-pre-deploy.sh — Runtime setup for SAS Analytics Pro on VWB GCE.
 #
-# Mounted at /opt/sas/aou/sas-startup.sh and invoked via PRE_DEPLOY_SCRIPT
+# Mounted at /opt/sas/aou/sas-pre-deploy.sh and invoked via PRE_DEPLOY_SCRIPT
 # before SAS services start.  Only handles steps that depend on the /data
 # volume or runtime state; build-time setup is in the Dockerfile.
 #
@@ -17,16 +17,6 @@ set -o pipefail
 mkdir -p /data/saswork /data/utilloc
 chown -R aou:aougroup /data
 
-###############################################################################
-# Lock down the SAS license so the aou user cannot read it via pipe commands.
-# The entrypoint wrapper already sets root:root 0400 for Mikey Secrets, but
-# this covers the bind-mount fallback and acts as defence in depth.
-###############################################################################
-if [ -f /sasinside/SASLicense.jwt ]; then
-  chown root:root /sasinside/SASLicense.jwt
-  chmod 400 /sasinside/SASLicense.jwt
-fi
-
 ###############################################################################
 # AoU environment loader (staged in Dockerfile at /opt/sas/aou/)
 ###############################################################################