fix: avoid breaking changes by falling back to copying the identity cert to a location that doesn't require root

2025-04-05 05:00:19 -05:00 · 2025-03-04 12:52:51 -08:00 · 2025-03-04 12:52:51 -08:00 · faf9befdf5
commit faf9befdf5
parent bebb8a4ab9
3 changed files with 31 additions and 6 deletions
--- a/bitwarden_license/src/Scim/entrypoint.sh
+++ b/bitwarden_license/src/Scim/entrypoint.sh
@ -58,4 +58,17 @@ if [[ -f "/etc/bitwarden/kerberos/bitwarden.keytab" && -f "/etc/bitwarden/kerber
    $gosu_cmd kinit $globalSettings__kerberosUser -k -t /etc/bitwarden/kerberos/bitwarden.keytab
 fi

+if [[ $globalSettings__selfHosted == "true" ]]; then
+    cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx || \
+        {
+            # infer a non-root location for the certificate
+            if [[ -z $globalSettings__identityServer__certificateLocation ]]; then
+                export globalSettings__identityServer__certificateLocation=/home/app/config/identity.pfx
+            fi
+            # copy the certificate to the non-root location to avoid permission issues
+            mkdir -p "$(dirname "$globalSettings__identityServer__certificateLocation")"
+            cp /etc/bitwarden/identity/identity.pfx "$globalSettings__identityServer__certificateLocation"
+        }
+fi
+
 exec $gosu_cmd /app/"${PROJECT_NAME}"
--- a/bitwarden_license/src/Sso/entrypoint.sh
+++ b/bitwarden_license/src/Sso/entrypoint.sh
@ -60,9 +60,15 @@ fi

 if [[ $globalSettings__selfHosted == "true" ]]; then
    cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx || \
-        if [[ -z $globalSettings__identityServer__certificateLocation ]]; then
-            export globalSettings__identityServer__certificateLocation=/home/app/config/identity.pfx
-        fi
+        {
+            # infer a non-root location for the certificate
+            if [[ -z $globalSettings__identityServer__certificateLocation ]]; then
+                export globalSettings__identityServer__certificateLocation=/home/app/config/identity.pfx
+            fi
+            # copy the certificate to the non-root location to avoid permission issues
+            mkdir -p "$(dirname "$globalSettings__identityServer__certificateLocation")"
+            cp /etc/bitwarden/identity/identity.pfx "$globalSettings__identityServer__certificateLocation"
+        }
 fi

 exec $gosu_cmd /app/"${PROJECT_NAME}"
--- a/src/Identity/entrypoint.sh
+++ b/src/Identity/entrypoint.sh
@ -60,9 +60,15 @@ fi

 if [[ $globalSettings__selfHosted == "true" ]]; then
    cp /etc/bitwarden/identity/identity.pfx /app/identity.pfx || \
-        if [[ -z $globalSettings__identityServer__certificateLocation ]]; then
-            export globalSettings__identityServer__certificateLocation=/home/app/config/identity.pfx
-        fi
+        {
+            # infer a non-root location for the certificate
+            if [[ -z $globalSettings__identityServer__certificateLocation ]]; then
+                export globalSettings__identityServer__certificateLocation=/home/app/config/identity.pfx
+            fi
+            # copy the certificate to the non-root location to avoid permission issues
+            mkdir -p "$(dirname "$globalSettings__identityServer__certificateLocation")"
+            cp /etc/bitwarden/identity/identity.pfx "$globalSettings__identityServer__certificateLocation"
+        }
 fi

 exec $gosu_cmd /app/"${PROJECT_NAME}"