# Back-end vulnerable Tomcat for CVE-2026-24880.
# TOMCAT_TAG selects the build: 9.0.115 = last vulnerable, 9.0.116 = first fixed (negative control).
ARG TOMCAT_TAG=9.0.115-jdk17-temurin
FROM tomcat:${TOMCAT_TAG}

# Compile the tiny lab servlet against Tomcat's bundled servlet-api / annotations-api jars.
# The Tomcat source tree is NOT modified; we only add our own webapp.
COPY app/src/LabServlet.java /build/lab/LabServlet.java
RUN set -eux; \
    mkdir -p /build/out; \
    javac -classpath "$(ls /usr/local/tomcat/lib/servlet-api.jar):$(ls /usr/local/tomcat/lib/tomcat-api.jar 2>/dev/null || true)" \
          -d /build/out /build/lab/LabServlet.java

# Lay down the ROOT webapp (exploded). Remove the stock ROOT app first.
RUN rm -rf /usr/local/tomcat/webapps/ROOT
COPY app/WEB-INF /usr/local/tomcat/webapps/ROOT/WEB-INF
RUN mkdir -p /usr/local/tomcat/webapps/ROOT/WEB-INF/classes && \
    cp -r /build/out/lab /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/

# Arrival log / nonce live on a runtime-only directory.
ENV NONCE_DIR=/nonce
RUN mkdir -p /nonce

COPY config/backend-entrypoint.sh /usr/local/bin/backend-entrypoint.sh
RUN chmod +x /usr/local/bin/backend-entrypoint.sh

EXPOSE 8080
ENTRYPOINT ["/usr/local/bin/backend-entrypoint.sh"]