From 233b3178cda560a170116688af1946465d9881ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=A9rard=20Collin?= Date: Sat, 14 Jan 2023 10:17:35 +0100 Subject: [PATCH] Working with ssh support --- README.md | 61 +++++++++++++++--------------------------- README_fr.md | 61 +++++++++++++++--------------------------- conf/authorized_keys | 1 + conf/cac-proxy-sudoers | 1 + conf/restart-proxy.sh | 4 +++ manifest.json | 9 +++++++ scripts/backup | 2 ++ scripts/install | 30 +++++++++++++++++++++ scripts/remove | 8 ++++++ scripts/restore | 17 ++++++++++++ scripts/upgrade | 1 + 11 files changed, 117 insertions(+), 78 deletions(-) create mode 100644 conf/authorized_keys create mode 100644 conf/cac-proxy-sudoers create mode 100644 conf/restart-proxy.sh diff --git a/README.md b/README.md index cb8b617..b77dee2 100644 --- a/README.md +++ b/README.md @@ -3,76 +3,59 @@ N.B.: This README was automatically generated by https://github.com/YunoHost/app It shall NOT be edited by hand. --> -# Mongo Express for YunoHost +# Cookie Aware Cors Proxy for YunoHost -[![Integration level](https://dash.yunohost.org/integration/mongo-express.svg)](https://dash.yunohost.org/appci/app/mongo-express) ![Working status](https://ci-apps.yunohost.org/ci/badges/mongo-express.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/mongo-express.maintain.svg) -[![Install Mongo Express with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mongo-express) +[![Integration level](https://dash.yunohost.org/integration/cac-proxy.svg)](https://dash.yunohost.org/appci/app/cac-proxy) ![Working status](https://ci-apps.yunohost.org/ci/badges/cac-proxy.status.svg) ![Maintenance status](https://ci-apps.yunohost.org/ci/badges/cac-proxy.maintain.svg) +[![Install Cookie Aware Cors Proxy with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=cac-proxy) *[Lire ce readme en français.](./README_fr.md)* -> *This package allows you to install Mongo Express quickly and simply on a YunoHost server. +> *This package allows you to install Cookie Aware Cors Proxy quickly and simply on a YunoHost server. If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/install) to learn how to install it.* ## Overview -Mongo Express is a Web-based MongoDB admin interface written with Node.js, Express and Bootstrap3. -You can as well install a Mongo database - version 4, 5 or 6 in your yunohost server if you want +Cookie Aware Cors Proxy is an http proxy letting the browser itself manages cookies and redirects. +Most other cores proxy directly respond to redirects, and doesn't send cookies, thus breaking the flow. +With Cookie Aware Cors Proxy, you can call a website not supporting CORS from your own web application, and get the html result. ### Features -- Optionally installs Mongo server -- Connect to multiple databases -- View/add/delete databases -- View/add/rename/delete collections -- View/add/update/delete documents -- Preview audio/video/image assets inline in collection view -- Nested and/or large objects are collapsible for easy overview -- Async on-demand loading of big document properties (>100KB default) to keep collection view fast -- GridFS support - add/get/delete incredibly large files -- Use BSON data types in documents -- Mobile / Responsive - Bootstrap 3 works passably on small screens when you're in a bind -- Connect and authenticate to individual databases -- Authenticate as admin to view all databases -- Database blacklist/whitelist -- Custom CA and CA validation disabling -- Supports replica sets +- Translates cookies and redirect locations from the target website to have the browser continue to call the proxy and not directly the website +- Extensive and dynamic support for log and debug information +- Two engines: a lightweight and one based on chrome to support websites running javascript -**Shipped version:** 1.0~ynh3 +**Shipped version:** 1.0~ynh1 ## Screenshots -![Screenshot of Mongo Express](./doc/screenshots/document-edit.png) -![Screenshot of Mongo Express](./doc/screenshots/collection-view.png) -![Screenshot of Mongo Express](./doc/screenshots/databases-view.png) +![Screenshot of Cookie Aware Cors Proxy](./doc/screenshots/document-edit.png) +![Screenshot of Cookie Aware Cors Proxy](./doc/screenshots/databases-view.png) +![Screenshot of Cookie Aware Cors Proxy](./doc/screenshots/collection-view.png) ## Disclaimers / important information -* For now, any user that can log to your server will have admin access to all your Mongo databases ! +* About security * Single-sign on or LDAP are not integrated - * It's strongly recommanded you don't enable public access to the application + * It works only if you define it as public upon installation otherwise the yunohost SSO will interfere -* It doesn't backup Mongo databases - * As mongo-express doesn't require any database by itself, it doesn't backup or restore any of them - * However, yYou can view / edit other applications databases with Mongo-Express - * It will just reinstall the Mongo server if you installed it with this script - * Any yunohost applications using Mongo databases should manage the backup and restore ## Documentation and resources -* Upstream app code repository: -* YunoHost documentation for this app: -* Report a bug: +* Upstream app code repository: +* YunoHost documentation for this app: +* Report a bug: ## Developer info -Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/mongo-express_ynh/tree/testing). +Please send your pull request to the [testing branch](https://github.com/YunoHost-Apps/cac-proxy_ynh/tree/testing). To try the testing branch, please proceed like that. ``` bash -sudo yunohost app install https://github.com/YunoHost-Apps/mongo-express_ynh/tree/testing --debug +sudo yunohost app install https://github.com/YunoHost-Apps/cac-proxy_ynh/tree/testing --debug or -sudo yunohost app upgrade mongo-express -u https://github.com/YunoHost-Apps/mongo-express_ynh/tree/testing --debug +sudo yunohost app upgrade cac-proxy -u https://github.com/YunoHost-Apps/cac-proxy_ynh/tree/testing --debug ``` **More info regarding app packaging:** diff --git a/README_fr.md b/README_fr.md index 42b703b..692a0f0 100644 --- a/README_fr.md +++ b/README_fr.md @@ -3,76 +3,59 @@ N.B.: This README was automatically generated by https://github.com/YunoHost/app It shall NOT be edited by hand. --> -# Mongo Express pour YunoHost +# Cookie Aware Cors Proxy pour YunoHost -[![Niveau d'intégration](https://dash.yunohost.org/integration/mongo-express.svg)](https://dash.yunohost.org/appci/app/mongo-express) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/mongo-express.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/mongo-express.maintain.svg) -[![Installer Mongo Express avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=mongo-express) +[![Niveau d'intégration](https://dash.yunohost.org/integration/cac-proxy.svg)](https://dash.yunohost.org/appci/app/cac-proxy) ![Statut du fonctionnement](https://ci-apps.yunohost.org/ci/badges/cac-proxy.status.svg) ![Statut de maintenance](https://ci-apps.yunohost.org/ci/badges/cac-proxy.maintain.svg) +[![Installer Cookie Aware Cors Proxy avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=cac-proxy) *[Read this readme in english.](./README.md)* -> *Ce package vous permet d'installer Mongo Express rapidement et simplement sur un serveur YunoHost. +> *Ce package vous permet d'installer Cookie Aware Cors Proxy rapidement et simplement sur un serveur YunoHost. Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.* ## Vue d'ensemble -Mongo Express is a Web-based MongoDB admin interface written with Node.js, Express and Bootstrap3. -You can as well install a Mongo database - version 4, 5 or 6 in your yunohost server if you want +Cookie Aware Cors Proxy is an http proxy letting the browser itself manages cookies and redirects. +Most other cores proxy directly respond to redirects, and doesn't send cookies, thus breaking the flow. +With Cookie Aware Cors Proxy, you can call a website not supporting CORS from your own web application, and get the html result. ### Features -- Optionally installs Mongo server -- Connect to multiple databases -- View/add/delete databases -- View/add/rename/delete collections -- View/add/update/delete documents -- Preview audio/video/image assets inline in collection view -- Nested and/or large objects are collapsible for easy overview -- Async on-demand loading of big document properties (>100KB default) to keep collection view fast -- GridFS support - add/get/delete incredibly large files -- Use BSON data types in documents -- Mobile / Responsive - Bootstrap 3 works passably on small screens when you're in a bind -- Connect and authenticate to individual databases -- Authenticate as admin to view all databases -- Database blacklist/whitelist -- Custom CA and CA validation disabling -- Supports replica sets +- Translates cookies and redirect locations from the target website to have the browser continue to call the proxy and not directly the website +- Extensive and dynamic support for log and debug information +- Two engines: a lightweight and one based on chrome to support websites running javascript -**Version incluse :** 1.0~ynh3 +**Version incluse :** 1.0~ynh1 ## Captures d'écran -![Capture d'écran de Mongo Express](./doc/screenshots/document-edit.png) -![Capture d'écran de Mongo Express](./doc/screenshots/collection-view.png) -![Capture d'écran de Mongo Express](./doc/screenshots/databases-view.png) +![Capture d'écran de Cookie Aware Cors Proxy](./doc/screenshots/document-edit.png) +![Capture d'écran de Cookie Aware Cors Proxy](./doc/screenshots/databases-view.png) +![Capture d'écran de Cookie Aware Cors Proxy](./doc/screenshots/collection-view.png) ## Avertissements / informations importantes -* For now, any user that can log to your server will have admin access to all your Mongo databases ! +* About security * Single-sign on or LDAP are not integrated - * It's strongly recommanded you don't enable public access to the application + * It works only if you define it as public upon installation otherwise the yunohost SSO will interfere -* It doesn't backup Mongo databases - * As mongo-express doesn't require any database by itself, it doesn't backup or restore any of them - * However, yYou can view / edit other applications databases with Mongo-Express - * It will just reinstall the Mongo server if you installed it with this script - * Any yunohost applications using Mongo databases should manage the backup and restore ## Documentations et ressources -* Dépôt de code officiel de l'app : -* Documentation YunoHost pour cette app : -* Signaler un bug : +* Dépôt de code officiel de l'app : +* Documentation YunoHost pour cette app : +* Signaler un bug : ## Informations pour les développeurs -Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/mongo-express_ynh/tree/testing). +Merci de faire vos pull request sur la [branche testing](https://github.com/YunoHost-Apps/cac-proxy_ynh/tree/testing). Pour essayer la branche testing, procédez comme suit. ``` bash -sudo yunohost app install https://github.com/YunoHost-Apps/mongo-express_ynh/tree/testing --debug +sudo yunohost app install https://github.com/YunoHost-Apps/cac-proxy_ynh/tree/testing --debug ou -sudo yunohost app upgrade mongo-express -u https://github.com/YunoHost-Apps/mongo-express_ynh/tree/testing --debug +sudo yunohost app upgrade cac-proxy -u https://github.com/YunoHost-Apps/cac-proxy_ynh/tree/testing --debug ``` **Plus d'infos sur le packaging d'applications :** diff --git a/conf/authorized_keys b/conf/authorized_keys new file mode 100644 index 0000000..43a1924 --- /dev/null +++ b/conf/authorized_keys @@ -0,0 +1 @@ +__PUBLIC_KEY__ diff --git a/conf/cac-proxy-sudoers b/conf/cac-proxy-sudoers new file mode 100644 index 0000000..91678cd --- /dev/null +++ b/conf/cac-proxy-sudoers @@ -0,0 +1 @@ +%__APP__ ALL=(root) NOPASSWD: /usr/bin/systemctl restart __APP__ diff --git a/conf/restart-proxy.sh b/conf/restart-proxy.sh new file mode 100644 index 0000000..bfa5aa0 --- /dev/null +++ b/conf/restart-proxy.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +# Restart all dont-code services +sudo systemctl restart "__APP__" diff --git a/manifest.json b/manifest.json index dd39518..b21c801 100644 --- a/manifest.json +++ b/manifest.json @@ -36,6 +36,15 @@ "example": "/proxy", "default": "/proxy" }, + { + "name": "public_key", + "type": "string", + "optional": true, + "ask": { + "en": "SSH Public key to allow service updates as part of delivery process, leave empty to disable.", + "fr": "Clef publique SSH permettant la mise à jour des services via une deploiement automatique, inactif si non renseigné." + } + }, { "name": "is_public", "type": "boolean", diff --git a/scripts/backup b/scripts/backup index 0670178..26b95b8 100755 --- a/scripts/backup +++ b/scripts/backup @@ -56,6 +56,8 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # SPECIFIC BACKUP #================================================= +ynh_backup --src_path="/etc/sudoers.d/$app-sudoers" + # BACKUP LOGROTATE #================================================= diff --git a/scripts/install b/scripts/install index 7383c82..b516307 100755 --- a/scripts/install +++ b/scripts/install @@ -25,6 +25,7 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH +public_key=$YNH_APP_ARG_PUBLIC_KEY is_public=$YNH_APP_ARG_IS_PUBLIC ### If it's a multi-instance app, meaning it can be installed several times independently @@ -140,6 +141,35 @@ chmod 750 "$final_path" chmod -R o-rwx "$final_path" chown -R $app:$app "$final_path" +if [ -n "$public_key" ] +then + ynh_script_progression --message="Enabling ssh access for dev..." --weight=1 + #enable ssh access to the files for updates + #todo: Secure it more with https://github.com/YunoHost-Apps/ssh_chroot_dir_ynh + mkdir --parents $final_path/.ssh + ynh_add_config --template="authorized_keys" --destination="$final_path/.ssh/authorized_keys" + ynh_app_setting_set --app=$app --key=public_key --value=$public_key + chown -R $app:$app "$final_path/.ssh" + chmod 700 "$final_path/.ssh" + chmod 600 "$final_path/.ssh/authorized_keys" + + #================================================= + # Create restart services file + #================================================= + + # Enable restarting of services from ssh + ynh_add_config --template="restart-proxy.sh" --destination="$final_path/restart-proxy.sh" + + # Enable root ownership to be able to call systemctl + chown $app:$app "$final_path/restart-proxy.sh" + chmod o-rwx,gu=rwx "$final_path/restart-proxy.sh" + + ynh_add_config --template="cac-proxy-sudoers" --destination="/etc/sudoers.d/$app-sudoers" + chown root:root "/etc/sudoers.d/$app-sudoers" + chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers" + +fi + #================================================= # NGINX CONFIGURATION #================================================= diff --git a/scripts/remove b/scripts/remove index a35c8e3..98f3dc7 100755 --- a/scripts/remove +++ b/scripts/remove @@ -19,6 +19,7 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) port=$(ynh_app_setting_get --app=$app --key=port) final_path=$(ynh_app_setting_get --app=$app --key=final_path) +public_key=$(ynh_app_setting_get --app=$app --key=public_key) #================================================= # STANDARD REMOVE @@ -110,6 +111,13 @@ ynh_script_progression --message="Removing various files..." --weight=1 # Remove the log files ynh_secure_remove --file="/var/log/$app" +if [ -n "$public_key" ] +then + ynh_script_progression --message="Removing ssh dev access" --weight=1 + ynh_secure_remove --file="/etc/sudoers.d/$app-sudoers" + +fi + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index a2e89cc..6b7a4e1 100755 --- a/scripts/restore +++ b/scripts/restore @@ -32,6 +32,7 @@ domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) +public_key=$(ynh_app_setting_get --app=$app --key=public_key) #================================================= # CHECK IF THE APP CAN BE RESTORED @@ -70,6 +71,22 @@ chmod 750 "$final_path" chmod -R o-rwx "$final_path" chown -R $app:$app "$final_path" +#Make sure the .ssh and files have the correct access rights +if [ -n "$public_key" ] +then + chown -R $app:$app "$final_path/.ssh" + chmod 700 "$final_path/.ssh" + chmod 600 "$final_path/.ssh/authorized_keys" + # Enable restart of services for the dont-code user + chown $app:$app "$final_path/restart-proxy.sh" + chmod o-rwx,gu=rwx "$final_path/restart-proxy.sh" + + ynh_restore_file --origin_path="/etc/sudoers.d/$app-sudoers" + + chown root:root "/etc/sudoers.d/$app-sudoers" + chmod o-rwx,gu=r "/etc/sudoers.d/$app-sudoers" +fi + #================================================= # SPECIFIC RESTORATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 2af66c8..c096160 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -20,6 +20,7 @@ domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) +public_key=$(ynh_app_setting_get --app=$app --key=public_key) #================================================= # CHECK VERSION