From 3b503f83fdaa3f49f31b654c6f4728f99491fb2a Mon Sep 17 00:00:00 2001
From: Arkadii Yakovets <ark@ccdatalab.org>
Date: Wed, 1 Nov 2023 16:10:50 -0700
Subject: [PATCH] Explicitly set permissions

---
 .dockerignore                                | 15 ++++++-------
 common/dockerfiles/Dockerfile.base           |  4 ++--
 common/dockerfiles/Dockerfile.common_tests   | 13 +++++++----
 common/dockerfiles/Dockerfile.migrations     |  9 ++++++--
 foreman/dockerfiles/Dockerfile.foreman       | 15 ++++++++-----
 workers/dockerfiles/Dockerfile.affymetrix    | 19 +++++++++-------
 workers/dockerfiles/Dockerfile.compendia     | 23 +++++++++++---------
 workers/dockerfiles/Dockerfile.downloaders   | 21 +++++++++++-------
 workers/dockerfiles/Dockerfile.illumina      | 21 ++++++++++--------
 workers/dockerfiles/Dockerfile.no_op         | 19 +++++++++-------
 workers/dockerfiles/Dockerfile.salmon        | 17 +++++++++------
 workers/dockerfiles/Dockerfile.smasher       | 17 +++++++++------
 workers/dockerfiles/Dockerfile.transcriptome | 15 ++++++++-----
 13 files changed, 124 insertions(+), 84 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index c2205b57e..d89f004d8 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,15 +1,14 @@
 .git
-*/batch-job-specs
-*/test_volume
-*/volume
+**/batch-job-templates
+**/dockerfiles
+**/environments
+**/test_volume
+**/volume
+**/volumes_postgres
 config/externally_supplied_metadata/metasra/*.tab
 config/externally_supplied_metadata/metasra/metasra_keywords.json
 config/externally_supplied_metadata/metasra/metasra_translated.json
 config/externally_supplied_metadata/metasra/SRAmetadb.sqlite
 dr_env
 env/
-infrastructure/
-terraform/
-test_volume
-volume
-volumes_postgres/
+infrastructure
diff --git a/common/dockerfiles/Dockerfile.base b/common/dockerfiles/Dockerfile.base
index ad21342e6..e7b7b703a 100644
--- a/common/dockerfiles/Dockerfile.base
+++ b/common/dockerfiles/Dockerfile.base
@@ -67,7 +67,7 @@ EOF
 
 ENV R_LIBS=/usr/local/lib/R/site-library
 
-COPY config/ config/
-COPY setup.cfg .
+COPY --chmod=644 config/ config/
+COPY --chmod=644 setup.cfg .
 
 ENTRYPOINT []
diff --git a/common/dockerfiles/Dockerfile.common_tests b/common/dockerfiles/Dockerfile.common_tests
index 3d5cf4f05..81dd947a4 100644
--- a/common/dockerfiles/Dockerfile.common_tests
+++ b/common/dockerfiles/Dockerfile.common_tests
@@ -7,17 +7,22 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY common/R/dependencies/common_tests/renv.lock .
-COPY common/R/renv_load.R renv_load_common_tests.R
+COPY --chmod=644 common/R/dependencies/common_tests/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_common_tests.R
 RUN Rscript renv_load_common_tests.R
 
-COPY common/requirements.txt .
+COPY --chmod=644 common/requirements.txt .
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
-COPY common/ .
+COPY --chmod=644 common/ .
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
+
 USER user
 
 ENTRYPOINT []
diff --git a/common/dockerfiles/Dockerfile.migrations b/common/dockerfiles/Dockerfile.migrations
index 516ce642b..603997c72 100644
--- a/common/dockerfiles/Dockerfile.migrations
+++ b/common/dockerfiles/Dockerfile.migrations
@@ -7,13 +7,18 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY common/requirements.txt .
+COPY --chmod=644 common/requirements.txt .
 RUN pip install --ignore-installed --no-cache-dir -r requirements.txt
 
-COPY common/ .
+COPY --chmod=644 common/ .
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
+
 USER user
 
 ENTRYPOINT []
diff --git a/foreman/dockerfiles/Dockerfile.foreman b/foreman/dockerfiles/Dockerfile.foreman
index baf0cad7d..24cea88ae 100644
--- a/foreman/dockerfiles/Dockerfile.foreman
+++ b/foreman/dockerfiles/Dockerfile.foreman
@@ -7,9 +7,9 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY foreman/requirements.txt .
+COPY --chmod=644 foreman/requirements.txt .
 RUN <<EOF
-mkdir -p data/microarray
+mkdir -m 755 -p data/microarray
 wget -q https://gbnci.cancer.gov/geo/GEOmetadb.sqlite.gz -O data/microarray/GEOmetadb.sqlite.gz
 gunzip data/microarray/GEOmetadb.sqlite.gz
 chmod 644 data/microarray/GEOmetadb.sqlite
@@ -17,14 +17,19 @@ pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 EOF
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY foreman/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 foreman/ .
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
+
 USER user
 
 ENTRYPOINT []
diff --git a/workers/dockerfiles/Dockerfile.affymetrix b/workers/dockerfiles/Dockerfile.affymetrix
index 478d377a5..979dc15d8 100644
--- a/workers/dockerfiles/Dockerfile.affymetrix
+++ b/workers/dockerfiles/Dockerfile.affymetrix
@@ -7,24 +7,27 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY workers/R/dependencies/affymetrix/renv.lock .
-COPY common/R/renv_load.R renv_load_affymetrix.R
+COPY --chmod=644 workers/R/dependencies/affymetrix/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_affymetrix.R
 RUN Rscript renv_load_affymetrix.R
 
-COPY workers/R/dependencies/affymetrix/install_ensg_pkgs.R .
+COPY --chmod=644 workers/R/dependencies/affymetrix/install_ensg_pkgs.R .
 RUN Rscript install_ensg_pkgs.R
 
-COPY workers/data_refinery_workers/processors/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt .
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY workers/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 workers/ .
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
diff --git a/workers/dockerfiles/Dockerfile.compendia b/workers/dockerfiles/Dockerfile.compendia
index e4f3cf557..23fb06903 100644
--- a/workers/dockerfiles/Dockerfile.compendia
+++ b/workers/dockerfiles/Dockerfile.compendia
@@ -68,14 +68,14 @@ WORKDIR /home/user
 
 ENV R_LIBS=/usr/local/lib/R/site-library
 
-COPY workers/R/dependencies/compendia/renv.lock .
-COPY common/R/renv_load.R renv_load_compendia.R
+COPY --chmod=644 workers/R/dependencies/compendia/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_compendia.R
 RUN Rscript renv_load_compendia.R
 
-COPY workers/data_refinery_workers/requirements/compendia.txt requirements.txt
+COPY --chmod=644 workers/data_refinery_workers/requirements/compendia.txt requirements.txt
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
-COPY workers/data_refinery_workers/processors/requirements.txt requirements.txt
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt requirements.txt
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
 # Install phantomjs.
@@ -87,15 +87,18 @@ rm phantomjs-2.1.1-linux-x86_64.tar.bz2
 EOF
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY config/ config/
-COPY setup.cfg .
-COPY workers/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 config/ config/
+COPY --chmod=644 setup.cfg .
+COPY --chmod=644 workers/ .
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ARG SYSTEM_VERSION
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
diff --git a/workers/dockerfiles/Dockerfile.downloaders b/workers/dockerfiles/Dockerfile.downloaders
index cdedb2b60..a7788acbc 100644
--- a/workers/dockerfiles/Dockerfile.downloaders
+++ b/workers/dockerfiles/Dockerfile.downloaders
@@ -7,11 +7,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY workers/R/dependencies/downloaders/renv.lock .
-COPY common/R/renv_load.R renv_load_downloaders.R
+COPY --chmod=644 workers/R/dependencies/downloaders/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_downloaders.R
 RUN Rscript renv_load_downloaders.R
 
-COPY workers/data_refinery_workers/downloaders/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/downloaders/requirements.txt .
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
 # Install Aspera.
@@ -23,8 +23,10 @@ EOF
 
 USER user
 
+ENV GNUPG_PATH=/home/user/.gnupg
+
 RUN <<EOF
-mkdir -m 700 /home/user/.gnupg
+mkdir -m 700 ${GNUPG_PATH}
 # Disable IPv6 to avoid "Cannot assign requested address" error.
 echo "disable-ipv6" >> /home/user/.gnupg/dirmngr.conf
 . /home/user/rvm/scripts/rvm
@@ -34,13 +36,16 @@ EOF
 USER root
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY workers/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 workers/ .
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -path ${GNUPG_PATH} -prune -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ENV PATH="$PATH:/home/user/.aspera/sdk"
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
diff --git a/workers/dockerfiles/Dockerfile.illumina b/workers/dockerfiles/Dockerfile.illumina
index 54ac5539a..63ea79189 100644
--- a/workers/dockerfiles/Dockerfile.illumina
+++ b/workers/dockerfiles/Dockerfile.illumina
@@ -7,23 +7,26 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY workers/R/dependencies/illumina/renv.lock .
-COPY common/R/renv_load.R renv_load_illumina.R
+COPY --chmod=644 workers/R/dependencies/illumina/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_illumina.R
 RUN Rscript renv_load_illumina.R
 
-COPY workers/data_refinery_workers/processors/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt .
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY workers/ .
-COPY workers/data_refinery_workers/processors/detect_database.R .
-COPY workers/illumina_probe_maps/ probe_maps/
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 workers/ .
+COPY --chmod=644 workers/data_refinery_workers/processors/detect_database.R .
+COPY --chmod=644 workers/illumina_probe_maps/ probe_maps/
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
diff --git a/workers/dockerfiles/Dockerfile.no_op b/workers/dockerfiles/Dockerfile.no_op
index 60ee5b814..5719e59c8 100644
--- a/workers/dockerfiles/Dockerfile.no_op
+++ b/workers/dockerfiles/Dockerfile.no_op
@@ -7,15 +7,15 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY workers/R/dependencies/no_op/renv.lock .
-COPY common/R/renv_load.R renv_load_no_op.R
+COPY --chmod=644 workers/R/dependencies/no_op/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_no_op.R
 RUN Rscript renv_load_no_op.R
 
-COPY workers/data_refinery_workers/processors/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt .
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
 # Noop-specific.
-RUN mkdir -p gene_indexes
+RUN mkdir -m 755 -p gene_indexes
 WORKDIR /home/user/gene_indexes
 ENV ID_REFINERY_URL=https://zenodo.org/records/1410647/files/all_1536267482.zip
 RUN <<EOF
@@ -29,13 +29,16 @@ EOF
 WORKDIR /home/user
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY workers/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 workers/ .
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
diff --git a/workers/dockerfiles/Dockerfile.salmon b/workers/dockerfiles/Dockerfile.salmon
index 4a103f8b2..6ad2247fe 100644
--- a/workers/dockerfiles/Dockerfile.salmon
+++ b/workers/dockerfiles/Dockerfile.salmon
@@ -7,11 +7,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY workers/R/dependencies/salmon/renv.lock .
-COPY common/R/renv_load.R renv_load_salmon.R
+COPY --chmod=644 workers/R/dependencies/salmon/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_salmon.R
 RUN Rscript renv_load_salmon.R
 
-COPY workers/data_refinery_workers/processors/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt .
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
 # Install Salmon
@@ -50,13 +50,16 @@ rm "sratoolkit.${SRA_VERSION}-ubuntu64.tar.gz"
 EOF
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY workers/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 workers/ .
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
diff --git a/workers/dockerfiles/Dockerfile.smasher b/workers/dockerfiles/Dockerfile.smasher
index a89196d42..d0cbd2525 100644
--- a/workers/dockerfiles/Dockerfile.smasher
+++ b/workers/dockerfiles/Dockerfile.smasher
@@ -7,21 +7,24 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 WORKDIR /home/user
 
-COPY workers/R/dependencies/smasher/renv.lock .
-COPY common/R/renv_load.R renv_load_smasher.R
+COPY --chmod=644 workers/R/dependencies/smasher/renv.lock .
+COPY --chmod=644 common/R/renv_load.R renv_load_smasher.R
 RUN Rscript renv_load_smasher.R
 
-COPY workers/data_refinery_workers/processors/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt .
 RUN pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 
 # Get the latest version from the dist directory.
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY workers/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 workers/ .
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION
 
diff --git a/workers/dockerfiles/Dockerfile.transcriptome b/workers/dockerfiles/Dockerfile.transcriptome
index 766065870..3721234da 100644
--- a/workers/dockerfiles/Dockerfile.transcriptome
+++ b/workers/dockerfiles/Dockerfile.transcriptome
@@ -14,7 +14,7 @@ WORKDIR /home/user
 # all samples from incomplete experiments must have salmon run on them again.
 ENV SALMON_VERSION=0.13.1
 
-COPY workers/data_refinery_workers/processors/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt .
 # Salmon can extract to a different directory than the name of the tar file.
 RUN <<EOF
 wget -q "https://github.com/COMBINE-lab/salmon/releases/download/v${SALMON_VERSION}/Salmon-${SALMON_VERSION}_linux_x86_64.tar.gz"
@@ -25,7 +25,7 @@ rm -r Salmon*
 EOF
 # End Salmon installation.
 
-COPY workers/data_refinery_workers/processors/requirements.txt .
+COPY --chmod=644 workers/data_refinery_workers/processors/requirements.txt .
 RUN <<EOF
 pip3 install --ignore-installed --no-cache-dir -r requirements.txt
 git clone https://github.com/deweylab/RSEM.git
@@ -33,13 +33,16 @@ cd RSEM && make install
 rm -rf RSEM
 EOF
 
-COPY common/dist/data-refinery-common-* common/
+COPY --chmod=644 common/dist/data-refinery-common-* common/
 RUN pip3 install --ignore-installed --no-cache-dir common/$(ls common -1 | sort --version-sort | tail -1)
 
-COPY .boto .boto
-COPY workers/ .
+COPY --chmod=644 .boto .boto
+COPY --chmod=644 workers/ .
 
-RUN rm -rf /root/.cache/*
+RUN <<EOF
+rm -rf /root/.cache/*
+find /home/user -type d ! -perm 755 -exec chmod 755 {} \;
+EOF
 
 ENV SYSTEM_VERSION=$SYSTEM_VERSION