# syntax=docker/dockerfile:1
#
# CVE-2026-43515 — Apache Tomcat improper authorization (CWE-285).
#
# Base image is selected at build time via TOMCAT_TAG:
#   - vulnerable: 10.1.54-jre17  (last affected 10.1.x build)
#   - patched   : 10.1.55-jre17  (first fixed 10.1.x build)
#
# The vulnerable Tomcat source is installed UNALTERED from the official
# library image; only a webapp + realm config + entrypoint are added.
ARG TOMCAT_TAG=10.1.54-jre17
FROM tomcat:${TOMCAT_TAG}

# Deploy the protected webapp (web.xml carries the vulnerable
# multi-<web-resource-collection> security-constraint).
COPY config/webapp/ ${CATALINA_HOME}/webapps/protected/

# Realm users: a single "admin" principal so the protected GET path genuinely
# demands authentication. Read by the stock UserDatabaseRealm in server.xml.
COPY config/tomcat-users.xml ${CATALINA_HOME}/conf/tomcat-users.xml

# Entrypoint regenerates the fresh per-boot secret, then starts Tomcat.
COPY config/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh

EXPOSE 8080
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
