Enforce vscode permissions and executions for workspaces dir (#1695)

Co-authored-by: Jumana B <[email protected]>
cds-snc · Nov 7, 2023 · dbf27cd · dbf27cd
1 parent b693d4f
commit dbf27cd
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 38 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -2,6 +2,14 @@ FROM mcr.microsoft.com/vscode/devcontainers/python:0-3.10@sha256:4a63a015cda9086
 
 ENV POETRY_VERSION="1.3.2"
 
+ARG USERNAME=vscode
+
+# Get vscode to work with sudo on all commands with no required password.
+RUN apt-get install -y sudo \
+    && echo $USERNAME ALL=\(ALL\) NOPASSWD: ALL > /etc/sudoers.d/$USERNAME \
+    # && echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME \
+    && chmod 0440 /etc/sudoers.d/$USERNAME
+
 RUN apt-get update \
     && apt-get -y install --no-install-recommends apt-utils 2>&1 \
     && apt-get -y install \
@@ -45,4 +53,10 @@ RUN pip install --upgrade pip
 
 COPY .devcontainer/scripts/notify-dev-entrypoint.sh /usr/local/bin/
 
+COPY --chown=vscode:vscode .devcontainer/scripts/installations.sh /usr/local/bin/
+RUN chmod -R 765 /usr/local/bin/installations.sh
+
+# Set the default user, which is remoteUser as defined in the devcontainer.json file.
+USER $USERNAME
+
 EXPOSE 6012
diff --git a/.devcontainer/scripts/installations.sh b/.devcontainer/scripts/installations.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+set -ex
+
+export POETRY_VERSION="1.3.2"
+
+# Define aliases
+echo -e "\n\n# User's Aliases" >> ~/.zshrc
+echo -e "alias fd=fdfind" >> ~/.zshrc
+echo -e "alias l='ls -al --color'" >> ~/.zshrc
+echo -e "alias ls='exa'" >> ~/.zshrc
+echo -e "alias l='exa -alh'" >> ~/.zshrc
+echo -e "alias ll='exa -alh@ --git'" >> ~/.zshrc
+echo -e "alias lt='exa -al -T -L 2'" >> ~/.zshrc
+
+# Poetry autocomplete
+echo -e "fpath+=/.zfunc" >> ~/.zshrc
+echo -e "autoload -Uz compinit && compinit"
+
+# Install Poetry
+pip install poetry==${POETRY_VERSION}
+echo "PATH=$PATH"
+#echo "/home/vscode/.local/bin/.."
+export PATH=$PATH:/home/vscode/.local/bin/
+which poetry
+poetry --version
+
+# Initialize poetry autocompletions
+mkdir ~/.zfunc
+touch ~/.zfunc/_poetry
+poetry completions zsh > ~/.zfunc/_poetry
+
+# Install dependencies
+cd /workspaces/notification-admin
+poetry install
+
+npm rebuild node-sass
+make generate-version-file
+make babel
+
+npm ci install
+npm run build
+
+# install npm deps (i.e. cypress)
+cd tests_cypress && npm install && npx cypress install && cd ..
diff --git a/.devcontainer/scripts/notify-dev-entrypoint.sh b/.devcontainer/scripts/notify-dev-entrypoint.sh
@@ -7,44 +7,8 @@ set -ex
 # tools and the filesystem mount enabled should be located here.
 ###################################################################
 
-# Define aliases
-echo -e "\n\n# User's Aliases" >> ~/.zshrc
-echo -e "alias fd=fdfind" >> ~/.zshrc
-echo -e "alias l='ls -al --color'" >> ~/.zshrc
-echo -e "alias ls='exa'" >> ~/.zshrc
-echo -e "alias l='exa -alh'" >> ~/.zshrc
-echo -e "alias ll='exa -alh@ --git'" >> ~/.zshrc
-echo -e "alias lt='exa -al -T -L 2'" >> ~/.zshrc
-
-# Poetry autocomplete
-echo -e "fpath+=/.zfunc" >> ~/.zshrc
-echo -e "autoload -Uz compinit && compinit"
-
-# Install Poetry
-pip install poetry==${POETRY_VERSION} \
-  && poetry --version
-
-# Initialize poetry autocompletions
-mkdir ~/.zfunc
-touch ~/.zfunc/_poetry
-poetry completions zsh > ~/.zfunc/_poetry
-
 # Tell git the workspace repository is safe, else upcoming commands will fail.
 git config --global --add safe.directory /workspaces/notification-admin
 
-# Warm up git index prior to display status in prompt else it will
-# be quite slow on every invocation of starship.
-git status
-
-# Install dependencies
-poetry install
-
-npm rebuild node-sass
-make generate-version-file
-make babel
-
-npm ci install
-npm run build
-
-# install npm deps (i.e. cypress)
-cd tests_cypress && npm install && npx cypress install && cd ..
+chown -R vscode:vscode /workspaces/notification-admin
+sudo -u vscode -i -- /usr/local/bin/installations.sh