Revert "Revert "Adds FIPS comatible SSL option to the UBI9 docker ima…

…ge (#505)" (#510)" (#512)

This reverts commit 228f02f.

docker-image-src/4.4/coredb/Dockerfile-debian

@@ -44,7 +44,7 @@ RUN apt update \
     && rm -rf /var/lib/apt/lists/* /su-exec
 
 
-ENV PATH "${NEO4J_HOME}"/bin:$PATH
+ENV PATH="${NEO4J_HOME}"/bin:$PATH
 
 WORKDIR "${NEO4J_HOME}"
 

docker-image-src/4.4/coredb/Dockerfile-ubi9

@@ -84,7 +84,7 @@ RUN set -eux; \
     ln -s /logs "${NEO4J_HOME}"/logs; \
     ln -s /startup/docker-entrypoint.sh /docker-entrypoint.sh
 
-ENV PATH "${NEO4J_HOME}"/bin:$PATH
+ENV PATH="${NEO4J_HOME}"/bin:$PATH
 
 WORKDIR "${NEO4J_HOME}"
 

docker-image-src/5/coredb/Dockerfile-debian

@@ -44,7 +44,7 @@ RUN apt update \
     && rm -rf /var/lib/apt/lists/* /su-exec
 
 
-ENV PATH "${NEO4J_HOME}"/bin:$PATH
+ENV PATH="${NEO4J_HOME}"/bin:$PATH
 
 WORKDIR "${NEO4J_HOME}"
 

docker-image-src/5/coredb/Dockerfile-ubi9

@@ -14,7 +14,11 @@ RUN set -eux; \
             ;; \
         *) echo >&2 "Neo4j does not currently have a docker image for architecture $arch"; exit 1 ;; \
     esac; \
+    openssl_url="https://www.openssl.org/source/openssl-3.0.9.tar.gz"; \
+    openssl_sha="eb1ab04781474360f77c318ab89d8c5a03abc38e63d65a603cabbf1b00a1dc90"; \
     microdnf install -y --nodocs \
+        apr \
+        crypto-policies-scripts \
         findutils \
         gcc \
         git \
@@ -23,6 +27,11 @@ RUN set -eux; \
         java-17-openjdk-headless \
         jq \
         make \
+        perl-Digest-SHA \
+        perl-File-Compare \
+        perl-File-Copy \
+        perl-FindBin \
+        perl-IPC-Cmd \
         procps \
         shadow-utils \
         tar \
@@ -33,20 +42,37 @@ RUN set -eux; \
     wget -q ${tini_url}.asc -O tini.asc; \
     echo "${tini_sha}"  /usr/bin/tini | sha256sum -c --strict --quiet; \
     chmod a+x /usr/bin/tini; \
+    wget -q ${openssl_url} -O /openssl.tar.gz; \
+    wget -q ${openssl_url}.asc -O /openssl.tar.gz.asc; \
+    # verify tini and openssl shasum and gpg signatures
+    echo ${openssl_sha} /openssl.tar.gz  | sha256sum -c; \
     export GNUPGHOME="$(mktemp -d)"; \
-    gpg --batch --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys \
-        595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7 \
-        B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+    gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys \
+        6380DC428747F6C393FEACA59A84159D7001A4E5 \
+        A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C; \
     gpg --batch --verify tini.asc /usr/bin/tini; \
+    gpg --batch --verify /openssl.tar.gz.asc /openssl.tar.gz; \
+    # install openssl
+    tar -xzf /openssl.tar.gz --directory /tmp; \
+    cd /tmp/openssl-3.0.9; \
+    ./Configure --prefix=/usr/local/openssl --openssldir=/usr/local/openssl enable-fips no-tests no-legacy shared; \
+    make install_sw install_ssldirs install_fips; \
+    if [ ${arch} = "aarch64" ]; \
+      then ldconfig /usr/local/openssl/lib; \
+      else ldconfig /usr/local/openssl/lib64; \
+    fi; \
+    cd /; \
+    # download, verify and install su-exec
     git clone https://github.com/ncopa/su-exec.git; \
     cd su-exec; \
     git checkout 4c3bb42b093f14da70d8ab924b487ccfbb1397af; \
     echo d6c40440609a23483f12eb6295b5191e94baf08298a856bab6e15b10c3b82891 su-exec.c | sha256sum -c; \
     echo 2a87af245eb125aca9305a0b1025525ac80825590800f047419dc57bba36b334 Makefile | sha256sum -c; \
     make; \
     mv /su-exec/su-exec /usr/bin/su-exec; \
+    # clean up build files and downloads
     gpgconf --kill all; \
-    rm -rf "$GNUPGHOME" /tini.asc /su-exec; \
+    rm -rf "$GNUPGHOME" /tini.asc /su-exec /openssl.tar.gz /openssl.tar.gz.asc /tmp/openssl*; \
     microdnf remove -y git* perl* make gcc glibc-headers glibc-devel libxcrypt-devel; \
     microdnf clean all
 
@@ -80,8 +106,7 @@ RUN set -eux; \
     ln -s /data "${NEO4J_HOME}"/data; \
     ln -s /logs "${NEO4J_HOME}"/logs
 
-ENV PATH "${NEO4J_HOME}"/bin:$PATH
-
+ENV PATH="${NEO4J_HOME}/bin:/usr/local/openssl/bin:$PATH"
 WORKDIR "${NEO4J_HOME}"
 
 VOLUME /data /logs

docker-image-src/5/coredb/docker-entrypoint.sh

@@ -250,7 +250,9 @@ function install_neo4j_plugins
 
 function add_docker_default_to_conf
 {
-    # docker defaults should NOT overwrite values already in the conf file
+    # configuration settings should have this order of priority:
+    # neo4j default < docker default < neo4j.conf < setting from environment
+    # Basically, docker defaults should NOT overwrite values already explicitly set in the conf files
     local _setting="${1}"
     local _value="${2}"
 
@@ -562,6 +564,46 @@ if [ "${NEO4J_EDITION}" == "enterprise" ];
    : ${NEO4J_server_cluster_raft_advertised__address:=${NEO4J_causal__clustering_raft__advertised__address:-}}
 fi
 
+
+# ==== CHECK IF OPENSSL FIPS MODE IS REQUESTED ====
+
+debug_msg "Deleting all netty-tcnative-boringssl jars"
+find "${NEO4J_HOME}"/lib/ -iname '*boringssl*.jar' -delete
+
+# configure for FIPS if requested
+if [[ ${NEO4J_OPENSSL_FIPS_ENABLE-} =~ [tT][rR][uU][eE] ]]
+then
+  echo "OpenSSL FIPS mode has been requested."
+  if ! grep -iq "Red Hat Enterprise Linux 9" /etc/os-release; then
+    echo >&2 "
+OpenSSL FIPS compatibility is only available in the Red Hat UBI9 Neo4j image.
+To fix this error, run the UBI9 based Neo4j docker image instead.
+See:
+* https://neo4j.com/docs/operations-manual/current/docker/introduction for more information about Neo4j base images.
+* https://neo4j.com/docs/operations-manual/current/security/ssl-framework about configuring SSL in Neo4j.
+    "
+    exit 1
+  fi
+  _arch_str=$(arch | sed 's/aarch64/aarch_64/g')
+  debug_msg "Copying ${NEO4J_HOME}/plugins/netty-tcnative/netty-tcnative-*-linux-${_arch_str}.jar to ${NEO4J_HOME}/lib/"
+  cp -p "${NEO4J_HOME}"/lib/netty-tcnative/netty-tcnative-*-linux-${_arch_str}.jar "${NEO4J_HOME}"/lib/
+  #netty_version=$(find "${NEO4J_HOME}"/lib/ -iname "netty-tcnative-classes-*" -print0 | tail -n 1 | sed -E 's/.*([0-9]+\.[0-9]+\.[0-9]+.*)\.jar/\1/g')
+  #debug_msg "Netty version detected as: \"${netty_version}\""
+  echo "Installing FIPS module into OpenSSL"
+  if [ "$(rpm --query --queryformat='%{ARCH}' rpm)" = "aarch64" ]; then
+    ln -s /usr/local/openssl/lib /usr/local/openssl/lib64
+  fi
+  ldconfig /usr/local/openssl/lib64
+  /usr/local/openssl/bin/openssl fipsinstall -out /usr/local/openssl/fipsmodule.cnf -module /usr/local/openssl/lib64/ossl-modules/fips.so
+  debug_msg "Configuring OpenSSL to run with FIPS enabled"
+  sed -i 's/# fips = fips_sect/fips = fips_sect/g' /usr/local/openssl/openssl.cnf
+  sed -i 's|# \.include fipsmodule\.cnf|\.include /usr/local/openssl/fipsmodule\.cnf|g' /usr/local/openssl/openssl.cnf
+  sed -i -E 's/# ?config_diagnostics = 1/config_diagnostics = 1/' /usr/local/openssl/openssl.cnf
+  sed -i -E 'N;s/\[default_sect\]\n# activate = 1/[default_sect\]\nactivate = 1/' /usr/local/openssl/openssl.cnf
+  sed -i -E 'N;s/providers = provider_sect/providers = provider_sect\nalg_section = algorithm_sect\n\n[algorithm_sect]\ndefault_properties = fips=yes/' /usr/local/openssl/openssl.cnf
+  add_docker_default_to_conf "dbms.netty.ssl.provider" "OPENSSL"
+fi
+
 # ==== SET CONFIGURATIONS ====
 
 ## == DOCKER SPECIFIC DEFAULT CONFIGURATIONS ===
@@ -586,7 +628,8 @@ fi
 
 # these are docker control envs that have the NEO4J_ prefix but we don't want to add to the config.
 not_configs=("NEO4J_ACCEPT_LICENSE_AGREEMENT" "NEO4J_AUTH" "NEO4J_AUTH_PATH" "NEO4J_DEBUG" "NEO4J_EDITION" \
-             "NEO4J_HOME" "NEO4J_PLUGINS" "NEO4J_SHA256" "NEO4J_TARBALL" "NEO4J_DEPRECATION_WARNING")
+             "NEO4J_HOME" "NEO4J_PLUGINS" "NEO4J_SHA256" "NEO4J_TARBALL" \
+             "NEO4J_DEPRECATION_WARNING" "NEO4J_OPENSSL_FIPS_ENABLE")
 
 debug_msg "Applying configuration settings that have been set using environment variables."
 # list env variables with prefix NEO4J_ and create settings from them

docker-image-src/5/neo4j-admin/Dockerfile-debian

@@ -37,7 +37,7 @@ RUN apt update \
     && apt-get -y purge --auto-remove curl
 
 
-ENV PATH "${NEO4J_HOME}"/bin:$PATH
+ENV PATH="${NEO4J_HOME}"/bin:$PATH
 VOLUME /data /backups
 WORKDIR "${NEO4J_HOME}"
 

docker-image-src/5/neo4j-admin/Dockerfile-ubi9

@@ -36,7 +36,7 @@ RUN set -eux; \
     ln -s /data "${NEO4J_HOME}"/data; \
     ln -s /startup/docker-entrypoint.sh /docker-entrypoint.sh
 
-ENV PATH "${NEO4J_HOME}"/bin:$PATH
+ENV PATH="${NEO4J_HOME}"/bin:$PATH
 VOLUME /data /backups
 WORKDIR "${NEO4J_HOME}"
 

pom.xml

@@ -35,6 +35,12 @@
                 <profile.include>BundleTest</profile.include>
             </properties>
         </profile>
+        <profile>
+            <id>all-tests</id>
+            <properties>
+                <profile.include></profile.include>
+            </properties>
+        </profile>
     </profiles>
 
 	<build>

src/test/java/com/neo4j/docker/coredb/TestBasic.java

@@ -22,6 +22,8 @@
 import org.testcontainers.containers.output.Slf4jLogConsumer;
 
 import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.time.Duration;
 import java.util.List;
 import java.util.stream.Stream;
@@ -263,4 +265,22 @@ void testContainerCanBeRestartedAfterUnexpectedTermination() throws IOException
             waitForBoltReady( Duration.ofSeconds( 90 ) ).waitUntilReady( container );
         }
     }
+
+    @Test
+    void testExtensionScriptIsExecuted() throws IOException
+    {
+        Path scriptFolder = temporaryFolderManager.createFolder("extension_script");
+        Path script = scriptFolder.resolve("startscript.sh");
+        Files.writeString(script, "#!/bin/bash\n\necho \"SCRIPT EXECUTED!\"");
+
+        try ( GenericContainer container = createBasicContainer() )
+        {
+            temporaryFolderManager.mountHostFolderAsVolume(container, scriptFolder, "/extension");
+            container.waitingFor(waitForBoltReady(Duration.ofSeconds(60)))
+                    .withEnv("EXTENSION_SCRIPT", "/extension/startscript.sh");
+            container.start();
+            String logs = container.getLogs(OutputFrame.OutputType.STDOUT);
+            Assertions.assertTrue(logs.contains("SCRIPT EXECUTED!"), "The extension script did not get executed");
+        }
+    }
 }