From aa8aff9d8b998da52206393a22c51da0837642e7 Mon Sep 17 00:00:00 2001
From: Daniel Hougaard <daniel@infisical.com>
Date: Tue, 21 Oct 2025 22:01:43 +0400
Subject: [PATCH] fix: persist softhsm configuration

---
 backend/Dockerfile.dev      |  7 ++++---
 backend/Dockerfile.dev.fips |  7 ++++---
 backend/dev-entrypoint.sh   | 16 ++++++++++++++++
 docker-compose.dev.yml      |  3 +++
 4 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100755 backend/dev-entrypoint.sh

diff --git a/backend/Dockerfile.dev b/backend/Dockerfile.dev
index 5e17cf2bbc..b5f4f7ac24 100644
--- a/backend/Dockerfile.dev
+++ b/backend/Dockerfile.dev
@@ -49,9 +49,6 @@ RUN rm -fr ${SOFTHSM2_SOURCES}
 # Install pkcs11-tool
 RUN apt-get install -y opensc
 
-RUN mkdir -p /etc/softhsm2/tokens && \
-    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
-
 # ? App setup
 
 # Install Infisical CLI
@@ -64,10 +61,14 @@ WORKDIR /app
 COPY package.json package.json
 COPY package-lock.json package-lock.json
 
+COPY dev-entrypoint.sh dev-entrypoint.sh
+RUN chmod +x dev-entrypoint.sh
+
 RUN npm install
 
 COPY . .
 
 ENV HOST=0.0.0.0
 
+ENTRYPOINT ["/app/dev-entrypoint.sh"]
 CMD ["npm", "run", "dev:docker"]
diff --git a/backend/Dockerfile.dev.fips b/backend/Dockerfile.dev.fips
index db51079857..4d5b842601 100644
--- a/backend/Dockerfile.dev.fips
+++ b/backend/Dockerfile.dev.fips
@@ -50,9 +50,6 @@ RUN rm -fr ${SOFTHSM2_SOURCES}
 # Install pkcs11-tool
 RUN apt-get install -y opensc
 
-RUN mkdir -p /etc/softhsm2/tokens && \
-    softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
-
 WORKDIR /openssl-build
 RUN wget https://www.openssl.org/source/openssl-3.1.2.tar.gz \
     && tar -xf openssl-3.1.2.tar.gz \
@@ -77,6 +74,9 @@ WORKDIR /app
 COPY package.json package.json
 COPY package-lock.json package-lock.json
 
+COPY dev-entrypoint.sh dev-entrypoint.sh
+RUN chmod +x dev-entrypoint.sh
+
 RUN npm install
 
 COPY . .
@@ -87,4 +87,5 @@ ENV OPENSSL_MODULES=/usr/local/lib/ossl-modules
 # ENV NODE_OPTIONS=--force-fips # Note(Daniel): We can't set this on the node options because it may break for existing folks using the infisical/infisical-fips image. Instead we call crypto.setFips(true) at runtime.
 ENV FIPS_ENABLED=true
 
+ENTRYPOINT ["/app/dev-entrypoint.sh"]
 CMD ["npm", "run", "dev:docker"]
diff --git a/backend/dev-entrypoint.sh b/backend/dev-entrypoint.sh
new file mode 100755
index 0000000000..9cb3c0a5e0
--- /dev/null
+++ b/backend/dev-entrypoint.sh
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+update-ca-certificates
+
+# Initialize SoftHSM token if it doesn't exist
+if [ ! -f /etc/softhsm2/tokens/auth-app.db ]; then
+  echo "Initializing SoftHSM token..."
+  mkdir -p /etc/softhsm2/tokens
+  softhsm2-util --init-token --slot 0 --label "auth-app" --pin 1234 --so-pin 0000
+  echo "SoftHSM token initialized"
+else
+  echo "SoftHSM token already exists, skipping initialization"
+fi
+
+
+exec "$@"
\ No newline at end of file
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 00dc19a46b..e60ef1ba56 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -77,6 +77,7 @@ services:
       - TELEMETRY_ENABLED=false
     volumes:
       - ./backend/src:/app/src
+      - softhsm_tokens:/etc/softhsm2/tokens # SoftHSM tokens are stored in a volume to persist across container restarts
     extra_hosts:
       - "host.docker.internal:host-gateway"
 
@@ -198,3 +199,5 @@ volumes:
   ldap_data:
   ldap_config:
   grafana_storage:
+  softhsm_tokens:
+    driver: local
\ No newline at end of file