From 7abcb690d62491a2df11aadb2ea33d16afd996fd Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:04:33 -0400
Subject: [PATCH 1/8] Combine user creation commands under one RUN statement

It's better to combine related commands when possible to both logically
group them and to consolidate Docker image layers.
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f1a49f7..0110c79 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,8 +15,8 @@ ENV CISA_HOME="/home/cisa"
 ###
 # Create unprivileged user
 ###
-RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP}
-RUN adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER}
+RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \
+  && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER}
 
 ##
 # Make sure pip, setuptools, and wheel are the latest versions

From 62f5c459bd24fdd7bb427ccd941b2cfb6ed93738 Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:07:40 -0400
Subject: [PATCH 2/8] Adjust the image entrypoint

Rather than making the script executable and using it as an entrypoint
we instead call python3 to invoke the script as the entrypoint.
---
 Dockerfile          | 2 +-
 src/email-update.py | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)
 mode change 100755 => 100644 src/email-update.py

diff --git a/Dockerfile b/Dockerfile
index 0110c79..315ba3c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -40,4 +40,4 @@ RUN chown --recursive ${CISA_USER}:${CISA_USER} $CISA_HOME
 ###
 # USER $USER
 WORKDIR $CISA_HOME
-ENTRYPOINT ["./email-update.py"]
+ENTRYPOINT ["python3", "email-update.py"]
diff --git a/src/email-update.py b/src/email-update.py
old mode 100755
new mode 100644
index bd422fc..b545d16
--- a/src/email-update.py
+++ b/src/email-update.py
@@ -1,5 +1,3 @@
-#!/usr/bin/env python
-
 """email-update.py sends a list of HTTP sites requiring client certs.
 
 Usage:

From 552d78623f97d0d3c13f2f59c88c78628876fc4e Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:11:42 -0400
Subject: [PATCH 3/8] Update user information in the Dockerfile

Base default values on the user and uid instead of a mix of values.
---
 Dockerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 315ba3c..b175b3b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,11 +6,11 @@ FROM python:3.10.7-alpine3.16
 LABEL org.opencontainers.image.authors="jeremy.frasier@trio.dhs.gov"
 LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
 
-ARG CISA_GID=421
-ARG CISA_UID=${CISA_GID}
-ENV CISA_USER="cisa"
+ARG CISA_UID=421
+ENV CISA_GID=${CISA_UID}
+ARG CISA_USER="cisa"
 ENV CISA_GROUP=${CISA_USER}
-ENV CISA_HOME="/home/cisa"
+ENV CISA_HOME="/home/${CISA_USER}"
 
 ###
 # Create unprivileged user

From 7ff2d976d4cfc5471b5e39693f4ba87c8d37fd4a Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:13:50 -0400
Subject: [PATCH 4/8] Ensure file ownership as part of the COPY command

Instead of manually running a chown command to ensure ownership we
instead assign ownership as part of copying the files into the image.
---
 Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index b175b3b..c2571e6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,8 +32,7 @@ RUN pip install --no-cache-dir --requirement /tmp/requirements.txt
 # Put this just before we change users because the copy (and every
 # step after it) will often be rerun by docker, but we need to be root
 # for the chown command.
-COPY src/email-update.py src/body.txt src/body.html $CISA_HOME/
-RUN chown --recursive ${CISA_USER}:${CISA_USER} $CISA_HOME
+COPY --chown=${CISA_USER}:${CISA_GROUP} src/email-update.py src/body.txt src/body.html $CISA_HOME/
 
 ###
 # Prepare to Run

From 2fd7d981362276958a83afe77c27444e9a1ad104 Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:15:09 -0400
Subject: [PATCH 5/8] Use the unprivileged user that has been set up

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index c2571e6..ed3f73e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,6 +37,6 @@ COPY --chown=${CISA_USER}:${CISA_GROUP} src/email-update.py src/body.txt src/bod
 ###
 # Prepare to Run
 ###
-# USER $USER
 WORKDIR $CISA_HOME
+USER $CISA_USER
 ENTRYPOINT ["python3", "email-update.py"]

From 5760ac86dfae657bb2b534b47696666b1207cfbf Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:22:21 -0400
Subject: [PATCH 6/8] Add pinning for some Python packages

Since they are managed in the Dockerfile we add version pins for the
pip, setuptools, and wheel packages.
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index ed3f73e..e4767a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,7 +21,10 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \
 ##
 # Make sure pip, setuptools, and wheel are the latest versions
 ##
-RUN pip install --no-cache-dir --upgrade pip setuptools wheel
+RUN pip install --no-cache-dir --upgrade \
+  pip==22.2.2  \
+  setuptools==65.3.0 \
+  wheel==0.37.1
 
 ##
 # Install client-cert-update python requirements

From 262fc950061f1938289d7d5dfd5ba99b04a18422 Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:24:59 -0400
Subject: [PATCH 7/8] Update Dockerfile comments

Cleanup, correct, and streamline the commenting in the Dockerfile.
---
 Dockerfile | 18 +++++-------------
 1 file changed, 5 insertions(+), 13 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e4767a1..9a37184 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,40 +6,32 @@ FROM python:3.10.7-alpine3.16
 LABEL org.opencontainers.image.authors="jeremy.frasier@trio.dhs.gov"
 LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
 
+# Unprivileged user information
 ARG CISA_UID=421
 ENV CISA_GID=${CISA_UID}
 ARG CISA_USER="cisa"
 ENV CISA_GROUP=${CISA_USER}
 ENV CISA_HOME="/home/${CISA_USER}"
 
-###
 # Create unprivileged user
-###
 RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \
   && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER}
 
-##
-# Make sure pip, setuptools, and wheel are the latest versions
-##
+# Install core Python packages
 RUN pip install --no-cache-dir --upgrade \
   pip==22.2.2  \
   setuptools==65.3.0 \
   wheel==0.37.1
 
-##
-# Install client-cert-update python requirements
-##
+# Install client-cert-update Python requirements
 COPY src/requirements.txt /tmp
 RUN pip install --no-cache-dir --requirement /tmp/requirements.txt
 
 # Put this just before we change users because the copy (and every
-# step after it) will often be rerun by docker, but we need to be root
-# for the chown command.
+# step after it) will often be rerun by Docker.
 COPY --chown=${CISA_USER}:${CISA_GROUP} src/email-update.py src/body.txt src/body.html $CISA_HOME/
 
-###
-# Prepare to Run
-###
+# Prepare to run
 WORKDIR $CISA_HOME
 USER $CISA_USER
 ENTRYPOINT ["python3", "email-update.py"]

From 2d59ea995dc9d5b83f8ae9c5afe638c9b175372f Mon Sep 17 00:00:00 2001
From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com>
Date: Fri, 9 Sep 2022 13:25:52 -0400
Subject: [PATCH 8/8] Call pip as a Python module

Instead of relying on the pip command we instead call it as a module
from the python3 command. This ensures that pip is installing packages
in the same Python version/environment as we use to run the
`email-update.py` script.
---
 Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9a37184..c9119c8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,14 +18,14 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \
   && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER}
 
 # Install core Python packages
-RUN pip install --no-cache-dir --upgrade \
+RUN python3 -m pip install --no-cache-dir --upgrade \
   pip==22.2.2  \
   setuptools==65.3.0 \
   wheel==0.37.1
 
 # Install client-cert-update Python requirements
 COPY src/requirements.txt /tmp
-RUN pip install --no-cache-dir --requirement /tmp/requirements.txt
+RUN python3 -m pip install --no-cache-dir --requirement /tmp/requirements.txt
 
 # Put this just before we change users because the copy (and every
 # step after it) will often be rerun by Docker.