Merge pull request #745 from trade-tariff/HOTT-4446-pentest-remediation

HOTT-4446: Adds HEALTHCHECK

.env.development

@@ -3,4 +3,4 @@ DUTY_CALCULATOR_HOST=http://localhost:3002
 PORT=3002
 ROUTE_THROUGH_FRONTEND=false
 TRADE_TARIFF_FRONTEND_URL="http://localhost:3001/"
-WEB_CONCURRENCY=0
+WEB_CONCURRENCY=0

Dockerfile

@@ -11,10 +11,9 @@ RUN apk add --update --no-cache build-base git yarn tzdata && \
   cp /usr/share/zoneinfo/Europe/London /etc/localtime && \
   echo "Europe/London" > /etc/timezone
 
-RUN bundle config set without 'development test'
-
 # Install gems defined in Gemfile
 COPY .ruby-version Gemfile Gemfile.lock /app/
+RUN bundle config set without 'development test'
 RUN bundle install --jobs=4 --no-binstubs
 
 # Install node packages defined in package.json, including webpack
@@ -25,20 +24,20 @@ RUN yarn install --frozen-lockfile
 COPY . /app/
 
 ENV GOVUK_APP_DOMAIN=localhost \
-    GOVUK_WEBSITE_ROOT=http://localhost/ \
-    RAILS_ENV=production \
-    NODE_OPTIONS="--openssl-legacy-provider"
+  GOVUK_WEBSITE_ROOT=http://localhost/ \
+  RAILS_ENV=production \
+  NODE_OPTIONS="--openssl-legacy-provider"
 
 RUN bundle exec rails assets:precompile
 
 # Cleanup to save space in the production image
 RUN rm -rf node_modules log tmp && \
-      rm -rf /usr/local/bundle/cache && \
-      rm -rf .env && \
-      find /usr/local/bundle/gems -name "*.c" -delete && \
-      find /usr/local/bundle/gems -name "*.h" -delete && \
-      find /usr/local/bundle/gems -name "*.o" -delete && \
-      find /usr/local/bundle/gems -name "*.html" -delete
+  rm -rf /usr/local/bundle/cache && \
+  rm -rf .env && \
+  find /usr/local/bundle/gems -name "*.c" -delete && \
+  find /usr/local/bundle/gems -name "*.h" -delete && \
+  find /usr/local/bundle/gems -name "*.o" -delete && \
+  find /usr/local/bundle/gems -name "*.html" -delete
 
 # Build runtime image
 FROM ruby:3.2.2-alpine3.18 as production
@@ -50,15 +49,23 @@ RUN apk add --update --no-cache tzdata && \
 # The application runs from /app
 WORKDIR /app
 
-ENV GOVUK_APP_DOMAIN=localhost \
-    GOVUK_WEBSITE_ROOT=http://localhost/ \
-    RAILS_SERVE_STATIC_FILES=true \
-    RAILS_ENV=production
+ENV RAILS_SERVE_STATIC_FILES=true \
+  RAILS_ENV=production \
+  PORT=8080
 
 RUN bundle config set without 'development test'
 
 # Copy files generated in the builder image
 COPY --from=builder /app /app
 COPY --from=builder /usr/local/bundle/ /usr/local/bundle/
 
+RUN addgroup -S tariff && \
+  adduser -S tariff -G tariff && \
+  chown -R tariff:tariff /app && \
+  chown -R tariff:tariff /usr/local/bundle
+
+HEALTHCHECK CMD nc -z 0.0.0.0 $PORT
+
+USER tariff
+
 CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]

Makefile

@@ -0,0 +1,32 @@
+.PHONY: default build run clean
+
+IMAGE_NAME := trade-tariff-duty-calculator
+COMMON_ENV := --env-file ".env.development" \
+              -e 'SECRET_KEY_BASE="0620b2907b1cee61dbcf5cbbf4125c04bf5db3554c66589d40a9349b5abd5463a40f4a1a8c2db9b07c13715340ee3c94bbc24b1adb3140a20f702e9dc3d4fc0c"' \
+              -e 'GOVUK_APP_DOMAIN="localhost"' \
+              -e 'GOVUK_WEBSITE_ROOT="http://localhost/"' \
+              -e 'RAILS_ASSUME_SSL="false"'
+
+default: build run
+
+build:
+	docker build -t $(IMAGE_NAME) .
+
+run:
+	docker run \
+		--network=host \
+		--rm \
+		--name $(IMAGE_NAME) \
+		$(COMMON_ENV) \
+		$(IMAGE_NAME)
+
+clean:
+	docker rmi $(IMAGE_NAME)
+
+shell:
+	docker run \
+		--rm \
+		--name $(IMAGE_NAME)-shell \
+		$(COMMON_ENV) \
+		--no-healthcheck \
+		-it $(IMAGE_NAME) /bin/sh

config/environments/production.rb

@@ -32,7 +32,7 @@
 
   # Assume all access to the app is happening through a SSL-terminating reverse proxy.
   # Can be used together with config.force_ssl for Strict-Transport-Security and secure cookies.
-  config.assume_ssl = true
+  config.assume_ssl = ENV.fetch('RAILS_ASSUME_SSL', "true") == "true"
 
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   # config.force_ssl = true