Add entrypoint to clear the federation metadata cache on startup

[phavekes]

This adds an entrypoint to the docker image that will clear the federation metadata cache just before the application in launched.

[johanib]

Discussed: Why not put cache inside container

[phavekes]

Or: Should we move the federation-metadata-cache location to /tmp/ in the container? @pmeulen

[johanib]

It seems the execute bit is needed, or docker wont run the containers.

[johanib]

Investigations have concluded this branch was used to build a beta tag, which was then also given the prod tag. (https://github.com/OpenConext/Stepup-AzureMFA/pkgs/container/stepup-azuremfa%2Fstepup-azuremfa)

What happens, is when I use ./start-dev-env.sh middleware:/home/johan/project/surf/Stepup-Middleware -- --pull always --force-recreate in devconf, I pull in that image.

Which then results in:

middleware-1   | 
middleware-1   |  // Clearing the cache for the dev environment with debug false                 
middleware-1   | 
Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: exec: "/usr/local/bin/entrypoint.sh": permission denied

In devconf, the temporary workaround is.

  azuremfa:
    image: ghcr.io/openconext/stepup-azuremfa/stepup-azuremfa:${STEPUP_VERSION:-prod}
    entrypoint: ["/bin/sh", "-c", "chmod +x /usr/local/bin/entrypoint.sh && exec /usr/local/bin/entrypoint.sh \"$@\"", "--"]

This workaround is no longer needed once a fixed azuremfa image is tagged.

[johanib]

I dont know bash, but Claude suggested the following, confirmed by GPT5.5:

Suggested change

	CACHE_DIR=$(grep -E '^ *federation_metadata_cache_location:' "$PARAM_FILE" \
	| cut -d ':' -f2- | tr -d '[:space:]')
	CACHE_DIR=$(grep -E '^ *federation_metadata_cache_location:' "$PARAM_FILE" \
	| cut -d ':' -f2- | tr -d '[:space:]' | tr -d "'\"")

Finding 1 — docker/entrypoint.sh:4-5:yaml-quote-handling

YAML-quoted values break cache path extraction

parameters.yaml.dist (the file copied as parameters.yaml in both Dockerfiles) stores the value as federation_metadata_cache_location: '/var/www/html/federation-metadata' — with YAML single quotes. The cut | tr pipeline doesn't strip those quotes, so $CACHE_DIR becomes the literal string '/var/www/html/federation-metadata' (with quote characters). The [ -d "$CACHE_DIR" ] test then fails silently because no such directory exists, meaning the cache is never cleared — which is the entire purpose of this PR.

Relevant lines: docker/entrypoint.sh lines 4–5

Suggested approach: Strip YAML quotes after the tr step:

CACHE_DIR=$(grep -E '^ *federation_metadata_cache_location:' "$PARAM_FILE"
| cut -d ':' -f2- | tr -d '[:space:]' | tr -d "'"")