Merge branch 'master' into feature/leitor-a3

# Conflicts:
#	Dockerfile

.dockerignore

@@ -0,0 +1,2 @@
+/var/cache/apt/*
+/var/lib/apt/lists/*

.env.dist

@@ -0,0 +1,3 @@
+HOSTNAME=Enterprise
+XAUTHORITY=~/.Xauthority
+BANKFILES=~/Investimentos

Dockerfile

@@ -1,12 +1,8 @@
 # Run Warsaw in a container
-
 # Base docker image
-FROM ubuntu:latest
-LABEL maintainer "Fabio Rodrigues Ribeiro <[email protected]>"
+FROM debian:buster-slim
 
-COPY startup.sh /home/ff/
-
-# Install Firefox
+LABEL maintainer "Fabio Rodrigues Ribeiro <[email protected]>"
 
 ADD	\
 	# https://s3-sa-east-1.amazonaws.com/shared-www.validcertificadora.com.br/libjbig0_2.0-2_amd64.deb \
@@ -20,37 +16,66 @@ ADD	\
 	http://www.digitalsigncertificadora.com.br/repositorio/downloads/SafeSignIC3.0.116-x86_64-ub14-tc-admin.deb \
 	/src/
 
-RUN apt-get update \
-	&& apt-get upgrade -y \
-	&& apt-get install -y \
-	language-pack-pt \
-	openssl \
-	libnss3-tools \
-	firefox \
-	firefox-locale-pt \
-	xauth \
-	opensc \
-	libopensc-openssl \
-	pcscd \
-	pcsc-tools \
-	--no-install-recommends \
-	&& apt -y install /src/*.deb \
-	&& groupadd -g 1000 -r ff \
-	&& useradd -u 1000 -r -g ff -G audio,video ff -d /home/ff \
-	&& chmod 744 /home/ff/startup.sh \
-	&& chown -R ff:ff /home/ff \
-	&& passwd -d root \
-	&& apt-get purge --auto-remove -y \
-	&& rm -rf /var/lib/apt/lists/* \
-	&& rm -rf /src/*.deb
 
 ADD https://cloud.gastecnologia.com.br/cef/warsaw/install/GBPCEFwr64.deb /src/
 
 # Run firefox as non privileged user
 USER ff
 
 # Add volume for recipes PDFs
+ENV USER=ff
+
+ENV GUID=1000
+
+ENV LANG="pt_BR.UTF-8 UTF-8"
+
+RUN apt-get update && \
+	apt-get install -y --no-install-recommends \
+		locales \
+		tzdata \
+		ca-certificates \
+		firefox-esr \
+		firefox-esr-l10n-pt-br \
+		libnss3-tools \
+		openssl \
+		procps \
+		python-gpg \
+		python-openssl \
+		python3 \
+		xauth \
+		zenity \
+		opensc \
+		libopensc-openssl \
+		pcscd \
+		pcsc-tools
+
+# Setup locale
+RUN echo ${LANG} > /etc/locale.gen \
+	&& locale-gen
+
+# Downloading warsaw
+RUN mkdir -p /src
+
+# Configuring the environment
+RUN mkdir -p /home/${USER} \
+	&& groupadd -g ${GUID} -r ${USER} \
+	&& useradd -u ${GUID} -r -g ${USER} -G audio,video ${USER} -d /home/${USER} \
+	&& chown -R ${GUID}:${GUID} /home/${USER} \
+	# Cleanup
+	&& apt autoremove -y \
+	&& apt clean
+
+RUN apt -y install /src/GBPCEFwr64.deb || :
+
+COPY root.sh /usr/local/bin/
+
+COPY startup.sh /usr/local/bin/
+
+RUN chmod 700 /usr/local/bin/root.sh \
+    && chmod 755 /usr/local/bin/startup.sh
+
+# Add volume for receipts PDFs
 VOLUME "/home/ff/Downloads"
 
-# Autorun chrome
-CMD [ "/home/ff/startup.sh" ]
+# Autorun Firefox
+ENTRYPOINT /usr/local/bin/root.sh

README.md

@@ -1,6 +1,16 @@
 # wscef-docker
 
-Warsaw in docker container
+[![Join the chat at https://gitter.im/farribeiro/wscef-docker](https://badges.gitter.im/farribeiro/wscef-docker.svg)](https://gitter.im/farribeiro/wscef-docker?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+
+Warsaw in docker container. Warsaw is a security module, a.k.a Guardião, for brazilian
+internet banking. This project is compatible of Banco do Brasil, Caixa Econômica
+Federal and Sicredi.
+
+## Pre-requisites
+
+- Docker and Docker-Compose of your distro.
+- Set BANKFILES variable (as `export BANKFILES=/home/ff/Downloads/Bankfiles`) to prevent volume creation error
+- For transparency, privacy and security NEVER USE ANY PRE-BUILT DOCKER IMAGE FROM THIS PROJECT. Obtain a copy of the source code of this repository, check the content and build your own image.
 
 ## Instructions
 
@@ -9,14 +19,23 @@ since environments and volumes are set on `docker-compose.yml`.
 
 **To build:** `docker-compose build wscef`
 
-**To pulling existing image:** `docker-compose pull`
-
 **To first run:** `docker-compose run --name wscef wscef`
 
-**To other runs:** `docker start -a wscef`
+**To other runs:** `docker start -i -a wscef`
+
+**To purge everthing:** `docker-compose down --rmi all`, thanks[1]
+
+**To force replace the container:** `docker-compose up --force-recreate`, thanks[1]
+
+**PS:** Reports that the warsaw daemon for CEF works for:
+- BB site: https://github.com/farribeiro/wscef-docker/issues/9#issuecomment-308244119 
+- Sicredi ( https://github.com/farribeiro/wscef-docker/pull/72#issuecomment-573244722)
+
+~~**PS:** you must run Docker using a GNU/Linux distro running xorg.
+Be aware some installations may run another display server, such as Wayland.~~
+
+The latest firefox release support wayland, not tested with xauth
 
-**PS:** Reports that the warsaw daemon for CEF works for the BB site:
-https://github.com/farribeiro/wscef-docker/issues/9#issuecomment-308244119
+**PS:** The root password is **wscef** by https://github.com/farribeiro/wscef-docker/issues/29
 
-**PS:** you must run Docker using a GNU/Linux distro running xorg.
-Be aware some installations may run another display server, such as Wayland. 
+[1] https://github.com/jsalatiel/wsbb-docker/commit/72e42bb5f04fbe8eb1f7f3e6226975aba137dcb5#diff-3254677a7917c6c01f55212f86c57fbf

docker-compose.yml

@@ -1,18 +1,31 @@
-version: '2'
+version: '3.7'
 services:
   wscef:
+    container_name: wscef
     image: farribeiro/wscef-docker
     build: .
-    devices:
-      - /dev/snd:/dev/snd
+    init: true
+    cap_drop:
+      - ALL
+    cap_add:
+      - SETUID
+      - SETGID
+      - AUDIT_WRITE
+      - DAC_OVERRIDE
+    security_opt:
+      - no-new-privileges:true
     environment:
+      - LANG=pt_BR.UTF-8
+      - TZ=${TZ}
       - DISPLAY=${DISPLAY}
-      - XAUTHORITY=/home/ff/.Xauthority
-      - HOST_HOSTNAME=${HOSTNAME}
-    cpuset: '0'
-    mem_limit: 512M
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 512M
+    shm_size: 2g
     volumes:
-      - /dev/shm:/dev/shm
       - /tmp/.X11-unix:/tmp/.X11-unix
       - ${XAUTHORITY}:/tmp/.docker.xauth:ro
-      - ~/BankFiles:/home/ff/Downloads
+      - ${BANKFILES}:/home/ff/Downloads
+      - /etc/machine-id:/etc/machine-id:ro

root.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+/etc/init.d/warsaw start
+
+# Run Firefox as non privileged user
+setpriv --reuid=ff --regid=ff --init-groups --inh-caps=-all --reset-env env DISPLAY=$DISPLAY LANG=$LANG TZ=$TZ startup.sh

startup.sh

@@ -1,27 +1,14 @@
 #!/bin/bash
 
-export LANG="pt_BR.UTF-8"
+runx() {
+    XAUTHORITY=/tmp/auth "$@"
+}
 
-if [ -n "${XAUTHORITY}" ] && [ -n "${HOST_HOSTNAME}" ]
-then
-  if [ "${HOSTNAME}" != "${HOST_HOSTNAME}" ]
-  then
-    [ -f ${XAUTHORITY} ] || touch ${XAUTHORITY}
-    xauth add ${HOSTNAME}/unix${DISPLAY} . \
-    $(xauth -f /tmp/.docker.xauth list ${HOST_HOSTNAME}/unix${DISPLAY} | awk '{ print $NF }')
-  else
-    cp /tmp/.docker.xauth ${XAUTHORITY}
-  fi
-fi
-
-if [ ! -d ~/.mozilla ]
-then
-  firefox -CreateProfile default \
-  && su -c "apt update && apt -y upgrade && apt -y install /src/GBPCEFwr64.deb"
-else
-  su -c "/etc/init.d/warsaw start"
-fi
+cp /tmp/.docker.xauth /tmp/auth
+runx xauth add ${HOSTNAME}/unix${DISPLAY} . $(runx xauth list | awk '$1 !~ /localhost/ {print $3; exit}')
+runx xauth generate $DISPLAY . untrusted timeout 0
 
 su -c "/etc/init.d/pcscd start"
 /usr/local/bin/warsaw/core \
-&& firefox -private-window www.caixa.gov.br
+&& runx firefox -no-remote -CreateProfile default \
+&& runx firefox -no-remote -private-window --class CaixaEconomica --name CaixaEconomica https://www.caixa.gov.br