feat: add tmce plugin

Include the jar plugin as encrypted file inside the webapp container
image.
Add an entrypoint script that decrypts the jar when the container is
started.

Subscribe also to subscription-change event to adapt the environment.

build-images.sh

@@ -63,9 +63,19 @@ pecbridge_tmp_dir=$(mktemp -d)
 cleanup_list+=("${pecbridge_tmp_dir}")
 tar -C "${pecbridge_tmp_dir}" -x -v -z -f pecbridge-*.tar.gz
 
+# Download tmce plugin jar: plugin is encrypted with GPG, the password is 'subscription'
+tmce_jar_url="https://distfeed.nethserver.org/webtop/webtop-tmceplugins-6.3.1.0.jar.gpg"
+tmce_jar_path="${PWD}/webtop-tmceplugins-6.3.1.0.jar.gpg"
+echo "Downloading encrypted tmce plugin jar from ${tmce_jar_url}..."
+curl --fail -L -o "${tmce_jar_path}" "${tmce_jar_url}"
+
 #Create webtop-webapp container
 reponame="webtop-webapp"
 container=$(buildah from docker.io/library/tomcat:8-jre8)
+buildah run ${container} apt-get update
+buildah run ${container} apt-get install -y gpg
+buildah run ${container} apt-get clean
+buildah run ${container} rm -rf /var/lib/apt/lists/*
 buildah add ${container} ${webapp_tmp_dir}/webtop /usr/local/tomcat/webapps/webtop/
 buildah add ${container} ${PWD}/webtop5-build/webtop-login/ /usr/local/tomcat/webapps/webtop/WEB-INF/classes/
 buildah add ${container} ${jcharset_tmp_dir}/jcharset-2.0.jar /usr/local/tomcat/webapps/webtop/lib/
@@ -75,6 +85,8 @@ buildah add ${container} ${PWD}/zfaker/wrappers/php /usr/share/webtop/bin/php
 buildah add ${container} ${PWD}/zfaker/wrappers/z-push-admin-wapper /usr/share/webtop/bin/z-push-admin-wrapper
 buildah add ${container} ${pecbridge_tmp_dir}/pecbridge /usr/share/pecbridge
 buildah add ${container} ${PWD}/webapp/ /
+buildah add ${container} "${tmce_jar_path}" /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg
+buildah config --entrypoint=/entrypoint.sh ${container}
 # Commit the image
 buildah commit --rm "${container}" "${repobase}/${reponame}"
 

imageroot/actions/configure-module/30subscription

@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+import agent
+
+rdb = agent.redis_connect(privileged=False)
+
+subscription = rdb.hgetall('cluster/subscription')
+
+with open('subscription.env', 'w') as env:
+    if subscription:
+        env.write(f'VALID_SUBSCRIPTION=true\n')
+    else:
+        env.write(f'VALID_SUBSCRIPTION=false\n')
+

imageroot/events/subscription-changed/30subscription

@@ -0,0 +1 @@
+../../actions/configure-module/30subscription

imageroot/events/subscription-changed/70restart

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+systemctl --user restart webapp

imageroot/systemd/user/webapp.service

@@ -22,6 +22,7 @@ ExecStart=/usr/bin/podman run \
 			 -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true \
 			 -Dmail.mime.address.strict=false -Dwebtop.etc.dir=/etc/webtop \
 			 -Duser.timezone=${WEBTOP_TIMEZONE}" \
+    --env-file=%S/state/subscription.env \
     --volume=webtop-home:/var/lib/nethserver/webtop \
     --volume=./webtop.properties:/etc/webtop/webtop.properties:z \
     --pod=webtop \

webapp/entrypoint.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+# Enable tmce plugin only if subscription is enabled
+
+# Decrypt tmce plugins jar if subscription is enabled
+if [ "VALID_SUBSCRIPTION=true" ]; then
+    gpg --batch --yes --passphrase 'subscription' -d -o /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar  \
+        /usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg
+fi