From e2471ec6c8c73cf4a6ec1a740c3069c36158b87b Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 29 Jul 2023 16:53:49 +0200 Subject: [PATCH 1/9] add_sso_v2 --- conf/nginx.conf | 2 +- hooks/post_app_addaccess | 19 +++++++++++++++++++ hooks/post_app_removeaccess | 18 ++++++++++++++++++ 3 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 hooks/post_app_addaccess create mode 100644 hooks/post_app_removeaccess diff --git a/conf/nginx.conf b/conf/nginx.conf index 3aad432..8642d49 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -15,7 +15,7 @@ location __PATH__ { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Script-Name __PATH__; -# proxy_set_header X-Remote-User $remote_user; +# proxy_set_header X-Remote-User $remote_user; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess new file mode 100644 index 0000000..b2e7581 --- /dev/null +++ b/hooks/post_app_addaccess @@ -0,0 +1,19 @@ +#!/bin/bash +# Source YunoHost helpers +source /usr/share/yunohost/helpers + +app=$1 +users=$2 +permission=$3 +group=$4 + +#Si le groupe visitors a été affecté à calibreweb +if echo "$group" | grep visitors ; then + if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep " proxy_set_header X-Remote-User"; then + #app is made public + domain=$(ynh_app_setting_get --app=$app --key=domain) + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" --replace_string="# proxy_set_header X-Remote-User" --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" + ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_systemd_action --service_name=nginx --action=reload + fi +fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess new file mode 100644 index 0000000..3250b25 --- /dev/null +++ b/hooks/post_app_removeaccess @@ -0,0 +1,18 @@ +#!/bin/bash +# Source YunoHost helpers +source /usr/share/yunohost/helpers + +app=$1 +users=$2 +permission=$3 +group=$4 + +if echo "$group" | grep visitors; then + if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep "# proxy_set_header X-Remote-User"; then + #app is made public + domain=$(ynh_app_setting_get --app=$app --key=domain) + ynh_replace_string --match_string="# proxy_set_header X-Remote-User" --replace_string=" proxy_set_header X-Remote-User" --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" + ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_systemd_action --service_name=nginx --action=reload + fi +fi \ No newline at end of file From eb16fbaedeb250cb2aa5a47484dc0e5e782517f3 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 29 Jul 2023 20:48:10 +0200 Subject: [PATCH 2/9] add manifest.toml --- conf/nginx.conf | 2 +- hooks/post_app_addaccess | 9 ++++++++- hooks/post_app_removeaccess | 20 ++++++++++++++++---- 3 files changed, 25 insertions(+), 6 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 8642d49..92aade2 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -15,7 +15,7 @@ location __PATH__ { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Scheme $scheme; proxy_set_header X-Script-Name __PATH__; -# proxy_set_header X-Remote-User $remote_user; + proxy_set_header X-Remote-User $remote_user; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index b2e7581..8395394 100644 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -10,10 +10,17 @@ group=$4 #Si le groupe visitors a été affecté à calibreweb if echo "$group" | grep visitors ; then if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep " proxy_set_header X-Remote-User"; then - #app is made public + domain=$(ynh_app_setting_get --app=$app --key=domain) + path=$(ynh_app_setting_get --app=$app --key=path) + port=$(ynh_app_setting_get --app=$app --key=port) + + touch ../manifest.toml + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" --replace_string="# proxy_set_header X-Remote-User" --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" --destination="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_systemd_action --service_name=nginx --action=reload + + rm ../manifest.toml fi fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess index 3250b25..84170cf 100644 --- a/hooks/post_app_removeaccess +++ b/hooks/post_app_removeaccess @@ -9,10 +9,22 @@ group=$4 if echo "$group" | grep visitors; then if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep "# proxy_set_header X-Remote-User"; then - #app is made public - domain=$(ynh_app_setting_get --app=$app --key=domain) - ynh_replace_string --match_string="# proxy_set_header X-Remote-User" --replace_string=" proxy_set_header X-Remote-User" --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" - ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + + domain = $(ynh_app_setting_get --app=$app --key=domain) + path = $(ynh_app_setting_get --app=$app --key=path) + port = $(ynh_app_setting_get --app=$app --key=port) + + touch ../manifest.toml + + ynh_replace_string --match_string="# proxy_set_header X-Remote-User" \ + --replace_string=" proxy_set_header X-Remote-User" \ + --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" + + ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \ + --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_systemd_action --service_name=nginx --action=reload + + rm ../manifest.toml fi fi \ No newline at end of file From a15211390fe47f24d60c770c8778a104ddfc9937 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 11:09:56 +0200 Subject: [PATCH 3/9] Add SSO --- hooks/post_app_addaccess | 34 +++++++++++++++-------- hooks/post_app_removeaccess | 46 +++++++++++++++++-------------- hooks/post_user_delete | 8 +++--- scripts/install | 15 ++++++++++ scripts/upgrade | 10 +++++++ sources/patches/main-web.py.patch | 14 ++++++++++ 6 files changed, 91 insertions(+), 36 deletions(-) create mode 100644 sources/patches/main-web.py.patch diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index 8395394..f0dc07c 100644 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -7,20 +7,30 @@ users=$2 permission=$3 group=$4 -#Si le groupe visitors a été affecté à calibreweb +#Visitor group has been revomed => app is public if echo "$group" | grep visitors ; then - if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep " proxy_set_header X-Remote-User"; then - domain=$(ynh_app_setting_get --app=$app --key=domain) - path=$(ynh_app_setting_get --app=$app --key=path) - port=$(ynh_app_setting_get --app=$app --key=port) + #loading settings from the app + domain=$(ynh_app_setting_get --app=$app --key=domain) + path=$(ynh_app_setting_get --app=$app --key=path) + port=$(ynh_app_setting_get --app=$app --key=port) + install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) - touch ../manifest.toml + #otherwise ynh_add_config complain about manifest + touch ../manifest.toml - ynh_replace_string --match_string=" proxy_set_header X-Remote-User" --replace_string="# proxy_set_header X-Remote-User" --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" - ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" --destination="/etc/nginx/conf.d/$domain.d/$app.conf" - ynh_systemd_action --service_name=nginx --action=reload - - rm ../manifest.toml - fi + #reset a new conf file and move it to nginx + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ + --replace_string="# proxy_set_header X-Remote-User" \ + --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" + ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \ + --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_systemd_action --service_name=nginx --action=reload + + rm ../manifest.toml + + #Update settings in calibre database + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" +# ynh_print_info --message="Restarting Calibre-web to take new parameters into account +# ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess index 84170cf..0e4383b 100644 --- a/hooks/post_app_removeaccess +++ b/hooks/post_app_removeaccess @@ -7,24 +7,30 @@ users=$2 permission=$3 group=$4 +#Visitor group has been revomed => app is private if echo "$group" | grep visitors; then - if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep "# proxy_set_header X-Remote-User"; then - - domain = $(ynh_app_setting_get --app=$app --key=domain) - path = $(ynh_app_setting_get --app=$app --key=path) - port = $(ynh_app_setting_get --app=$app --key=port) - - touch ../manifest.toml - - ynh_replace_string --match_string="# proxy_set_header X-Remote-User" \ - --replace_string=" proxy_set_header X-Remote-User" \ - --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" - - ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \ - --destination="/etc/nginx/conf.d/$domain.d/$app.conf" - - ynh_systemd_action --service_name=nginx --action=reload - - rm ../manifest.toml - fi -fi \ No newline at end of file + + #loading settings from the app + domain=$(ynh_app_setting_get --app=$app --key=domain) + path=$(ynh_app_setting_get --app=$app --key=path) + port=$(ynh_app_setting_get --app=$app --key=port) + install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) + + #otherwise ynh_add_config complain about manifest + touch ../manifest.toml + + #reset a new conf file and move it to nginx + ynh_replace_string --match_string="# proxy_set_header X-Remote-User" \ + --replace_string=" proxy_set_header X-Remote-User" \ + --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" + ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \ + --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_systemd_action --service_name=nginx --action=reload + + rm ../manifest.toml + + #Update settings in calibre database + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" +# ynh_print_info --message="Restarting Calibre-web to take new parameters into account +# ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 +fi diff --git a/hooks/post_user_delete b/hooks/post_user_delete index 03d072a..ee058ff 100644 --- a/hooks/post_user_delete +++ b/hooks/post_user_delete @@ -8,7 +8,7 @@ app=${app:3} source /etc/yunohost/apps/$app/scripts/_common.sh username=$1 -final_path=$(ynh_app_setting_get $app final_path) +install_dir=$(ynh_app_setting_get $app install_dir) del_tables_user="book_read_link remote_auth_token downloads shelf bookmark" del_tables_shelf="book_shelf_link" @@ -16,12 +16,12 @@ del_id() { #$1=table #$2=id_type #$3=id - sqlite3 $final_path/app.db "DELETE FROM $1 WHERE $2='$3'" + sqlite3 $install_dir/app.db "DELETE FROM $1 WHERE $2='$3'" } -user_id=$(sqlite3 $final_path/app.db "SELECT id from user WHERE nickname='$username'") -shelf_id=$(sqlite3 $final_path/app.db "SELECT id from shelf WHERE user_id='$user_id'") +user_id=$(sqlite3 $install_dir/app.db "SELECT id from user WHERE nickname='$username'") +shelf_id=$(sqlite3 $install_dir/app.db "SELECT id from shelf WHERE user_id='$user_id'") #Delete all entry with dependencies for user #pas de check sur l'existence de l'utilisateur car fonctionne sans diff --git a/scripts/install b/scripts/install index f70331b..b663706 100755 --- a/scripts/install +++ b/scripts/install @@ -95,6 +95,12 @@ if [ $path = "/" ] ; then ynh_replace_string " proxy_set_header X-Script-Name" "# proxy_set_header X-Script-Name" ../conf/nginx.conf fi +if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ + --replace_string="# proxy_set_header X-Remote-User" \ + --target_file="../conf/nginx.conf" +fi + # Create a dedicated nginx config ynh_add_nginx_config @@ -123,6 +129,8 @@ ynh_replace_string --match_string="" \ --target_file="/etc/ImageMagick-6/policy.xml" + + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= @@ -162,6 +170,13 @@ ynh_add_fail2ban_config --logpath="$log_file" --failregex="^.*LDAP Login failed ynh_script_progression --message="Start $app..." --weight=5 ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" -t 30 +#We need to update the sso login parameter, but for that the app needs to have run at least once to initialize the tables. +if [ ! $(ynh_permission_has_user --permission=main --user=visitors) ]; then + ynh_systemd_action --service_name=$app --action="stop" + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" + ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" +fi + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index e82ff81..f027ae8 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -106,6 +106,16 @@ ynh_script_progression --message="Upgrading nginx web server configuration..." - if [ $path = "/" ] ; then ynh_replace_string " proxy_set_header X-Script-Name" "# proxy_set_header X-Script-Name" ../conf/nginx.conf fi + +if [ ynh_permission_has_user --permission=main --user=visitors ]; then + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ + --replace_string="# proxy_set_header X-Remote-User" \ + --target_file="../conf/nginx.conf" +else + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" +fi + # Create a dedicated nginx config ynh_add_nginx_config diff --git a/sources/patches/main-web.py.patch b/sources/patches/main-web.py.patch new file mode 100644 index 0000000..3386aba --- /dev/null +++ b/sources/patches/main-web.py.patch @@ -0,0 +1,14 @@ +--- a/cps/web.py 2023-03-27 19:49:57.000000000 +0200 ++++ b/cps/web.py 2023-08-05 11:05:36.703730438 +0200 +@@ -1411,7 +1411,10 @@ + if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3): + logout_oauth_user() + log.debug("User logged out") +- return redirect(url_for('web.login')) ++ if config.config_login_type == constants.LOGIN_LDAP: ++ return redirect(request.host_url + '/yunohost/sso/?action=logout') ++ else: ++ return redirect(url_for('web.login')) + + + # ################################### Users own configuration ######################################################### From 5597cb11efe91dbd842537215b28e779b5e00ce6 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 11:36:27 +0200 Subject: [PATCH 4/9] Typo --- hooks/post_app_addaccess | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index f0dc07c..cdc8ca3 100644 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -30,7 +30,7 @@ if echo "$group" | grep visitors ; then rm ../manifest.toml #Update settings in calibre database - sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID=1;" # ynh_print_info --message="Restarting Calibre-web to take new parameters into account # ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 fi \ No newline at end of file From 0f1dfb6cd7e0291163acd1bfac59805c8383c458 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 12:33:12 +0200 Subject: [PATCH 5/9] Add SSO --- conf/main-web.py.patch | 15 +++++++++++++++ conf/web.py.revert.patch | 15 +++++++++++++++ doc/ADMIN_fr.md | 1 - doc/PRE_INSTALL.md | 2 ++ doc/PRE_INSTALL_fr.md | 4 +++- hooks/post_app_addaccess | 6 ++++-- hooks/post_app_removeaccess | 6 ++++-- scripts/install | 7 +++++-- scripts/upgrade | 4 ++++ sources/patches/main-web.py.patch | 5 +++-- 10 files changed, 55 insertions(+), 10 deletions(-) create mode 100644 conf/main-web.py.patch create mode 100644 conf/web.py.revert.patch diff --git a/conf/main-web.py.patch b/conf/main-web.py.patch new file mode 100644 index 0000000..bf0c4ec --- /dev/null +++ b/conf/main-web.py.patch @@ -0,0 +1,15 @@ +--- a/cps/web.py 2023-03-27 19:49:57.000000000 +0200 ++++ b/cps/web.py 2023-08-05 11:58:20.353503437 +0200 +@@ -1411,7 +1411,11 @@ + if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3): + logout_oauth_user() + log.debug("User logged out") +- return redirect(url_for('web.login')) ++# return redirect(url_for('web.login')) ++ if config.config_login_type == constants.LOGIN_LDAP: ++ return redirect(request.host_url + '/yunohost/sso/?action=logout') ++ else: ++ return redirect(url_for('web.login')) + + + # ################################### Users own configuration ######################################################### diff --git a/conf/web.py.revert.patch b/conf/web.py.revert.patch new file mode 100644 index 0000000..e5da349 --- /dev/null +++ b/conf/web.py.revert.patch @@ -0,0 +1,15 @@ +--- ./web.py 2023-08-05 11:58:20.353503437 +0200 ++++ ./web.py 2023-03-27 19:49:57.000000000 +0200 +@@ -1411,11 +1411,7 @@ + if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3): + logout_oauth_user() + log.debug("User logged out") +-# return redirect(url_for('web.login')) +- if config.config_login_type == constants.LOGIN_LDAP: +- return redirect(request.host_url + '/yunohost/sso/?action=logout') +- else: +- return redirect(url_for('web.login')) ++ return redirect(url_for('web.login')) + + + # ################################### Users own configuration ######################################################### diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md index 28bf475..7532dc0 100644 --- a/doc/ADMIN_fr.md +++ b/doc/ADMIN_fr.md @@ -1,5 +1,4 @@ - ### Gestion de la bibliothèque * Par défaut, le processus de backup de Yunohost **archivera** la bibliothèque Calibreweb. diff --git a/doc/PRE_INSTALL.md b/doc/PRE_INSTALL.md index 02ff235..e8370a2 100644 --- a/doc/PRE_INSTALL.md +++ b/doc/PRE_INSTALL.md @@ -1,3 +1,5 @@ If calibreweb library is set as a public library, it will be placed in `/home/yunohost.multimedia/share/eBook` If not, it will be set in `/home/yunohost.multimedia/[admin]/eBook` folder. Library folder can always be changed manually in the application settings by the administrator. + +If you grant access to visitors (The application is publicly accessible on the Internet), SSO will be deactivated for security reasons. \ No newline at end of file diff --git a/doc/PRE_INSTALL_fr.md b/doc/PRE_INSTALL_fr.md index 440d01c..c54049a 100644 --- a/doc/PRE_INSTALL_fr.md +++ b/doc/PRE_INSTALL_fr.md @@ -1,3 +1,5 @@ Si la bibliothèque Calibreweb est paramétrée comme une bilbiothèque publique, elle sera placée dans `/home/yunohost.multimedia/share/eBook`. Si non, elle sera placée dans `/home/yunohost.multimedia/[admin]/eBook`. -Le répertoire de la bibliothèque peut ensuite être déplacé directement dans l'application par l'administrateur. \ No newline at end of file +Le répertoire de la bibliothèque peut ensuite être déplacé directement dans l'application par l'administrateur. + +Si vous accorder l'accès à l'application aux visiteurs (l'application est publiquement accessible sur internet), le sso sera désactivé pour des raisons de sécurité. \ No newline at end of file diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index cdc8ca3..08f2736 100644 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -31,6 +31,8 @@ if echo "$group" | grep visitors ; then #Update settings in calibre database sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID=1;" -# ynh_print_info --message="Restarting Calibre-web to take new parameters into account -# ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 + #remove logout from web.py + patch -u /$install_dir/cps/web.py -i /etc/yunohost/apps/$app/conf/web.py.revert.patch + ynh_print_info --message="Restarting Calibre-web to take new parameters into account" + ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess index 0e4383b..d0d14e9 100644 --- a/hooks/post_app_removeaccess +++ b/hooks/post_app_removeaccess @@ -31,6 +31,8 @@ if echo "$group" | grep visitors; then #Update settings in calibre database sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" -# ynh_print_info --message="Restarting Calibre-web to take new parameters into account -# ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 + #reinstate logout from web.py + patch -u /$install_dir/cps/web.py -i /etc/yunohost/apps/$app/conf/main-web.py.patch + ynh_print_info --message="Restarting Calibre-web to take new parameters into account" + ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 fi diff --git a/scripts/install b/scripts/install index b663706..fcaa3b0 100755 --- a/scripts/install +++ b/scripts/install @@ -87,14 +87,15 @@ ynh_app_setting_set $app calibre_dir $calibre_dir #================================================= # NGINX CONFIGURATION #================================================= -#Cannot use empty string for X-script-name, causes an issue in the python prg ynh_script_progression --message="Setting up system configuration..." --weight=5 - +#Cannot use empty string for X-script-name, causes an issue in the python prg +#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#nginx if [ $path = "/" ] ; then ynh_replace_string " proxy_set_header X-Script-Name" "# proxy_set_header X-Script-Name" ../conf/nginx.conf fi +# if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ --replace_string="# proxy_set_header X-Remote-User" \ @@ -170,6 +171,8 @@ ynh_add_fail2ban_config --logpath="$log_file" --failregex="^.*LDAP Login failed ynh_script_progression --message="Start $app..." --weight=5 ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" -t 30 +#Setting the proxy authentication in case calibre is not open to visitor. +#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source #We need to update the sso login parameter, but for that the app needs to have run at least once to initialize the tables. if [ ! $(ynh_permission_has_user --permission=main --user=visitors) ]; then ynh_systemd_action --service_name=$app --action="stop" diff --git a/scripts/upgrade b/scripts/upgrade index f027ae8..13a6aa6 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -103,10 +103,14 @@ fi #================================================= ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=5 +#Cannot use empty string for X-script-name, causes an issue in the python prg +#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#nginx if [ $path = "/" ] ; then ynh_replace_string " proxy_set_header X-Script-Name" "# proxy_set_header X-Script-Name" ../conf/nginx.conf fi +#Setting the proxy authentication in case calibre is not open to visitor. +#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source if [ ynh_permission_has_user --permission=main --user=visitors ]; then sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ diff --git a/sources/patches/main-web.py.patch b/sources/patches/main-web.py.patch index 3386aba..bf0c4ec 100644 --- a/sources/patches/main-web.py.patch +++ b/sources/patches/main-web.py.patch @@ -1,10 +1,11 @@ --- a/cps/web.py 2023-03-27 19:49:57.000000000 +0200 -+++ b/cps/web.py 2023-08-05 11:05:36.703730438 +0200 -@@ -1411,7 +1411,10 @@ ++++ b/cps/web.py 2023-08-05 11:58:20.353503437 +0200 +@@ -1411,7 +1411,11 @@ if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3): logout_oauth_user() log.debug("User logged out") - return redirect(url_for('web.login')) ++# return redirect(url_for('web.login')) + if config.config_login_type == constants.LOGIN_LDAP: + return redirect(request.host_url + '/yunohost/sso/?action=logout') + else: From 0d92ad63ddf9a66e274be25d6c35be1f0d1a6fcf Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 12:41:05 +0200 Subject: [PATCH 6/9] patch web.py for visitors --- scripts/install | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/install b/scripts/install index fcaa3b0..71428ad 100755 --- a/scripts/install +++ b/scripts/install @@ -36,6 +36,9 @@ ynh_add_config --template="../sources/patches/main-constants.py.patch.src" --des # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" +# Remove the patch for web.py in case visitor are allowed +patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch + #install kepubify converter ynh_script_progression --message="Installing kepubify..." --weight=1 ynh_setup_source --dest_dir="/opt/kepubify" --source_id="kepubify" From 7a69b41542d5ed76f035a86325d73122c70a03a8 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 12:44:13 +0200 Subject: [PATCH 7/9] patch web.py --- scripts/install | 4 +++- scripts/upgrade | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index 71428ad..d1f349e 100755 --- a/scripts/install +++ b/scripts/install @@ -37,7 +37,9 @@ ynh_add_config --template="../sources/patches/main-constants.py.patch.src" --des ynh_setup_source --dest_dir="$install_dir" # Remove the patch for web.py in case visitor are allowed -patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch +if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then + patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch +fi #install kepubify converter ynh_script_progression --message="Installing kepubify..." --weight=1 diff --git a/scripts/upgrade b/scripts/upgrade index 13a6aa6..eb88a01 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -96,6 +96,12 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" chown -R $app: $install_dir + + # Remove the patch for web.py in case visitor are allowed + if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then + patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch + fi + fi #================================================= From d4bac0470d705abe6e1d1778b920dad1d143f69a Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 13:45:02 +0200 Subject: [PATCH 8/9] fix if statements --- hooks/post_app_addaccess | 2 +- hooks/post_app_removeaccess | 2 +- scripts/install | 6 +++--- scripts/upgrade | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index 08f2736..15e6ef2 100644 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -8,7 +8,7 @@ permission=$3 group=$4 #Visitor group has been revomed => app is public -if echo "$group" | grep visitors ; then +if [ $(echo "$group" | grep visitors) ] && [ $permission = "main" ]; then #loading settings from the app domain=$(ynh_app_setting_get --app=$app --key=domain) diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess index d0d14e9..e80fea7 100644 --- a/hooks/post_app_removeaccess +++ b/hooks/post_app_removeaccess @@ -8,7 +8,7 @@ permission=$3 group=$4 #Visitor group has been revomed => app is private -if echo "$group" | grep visitors; then +if [ $(echo "$group" | grep visitors) ] && [ $permission = "main" ]; then #loading settings from the app domain=$(ynh_app_setting_get --app=$app --key=domain) diff --git a/scripts/install b/scripts/install index d1f349e..68f5ab4 100755 --- a/scripts/install +++ b/scripts/install @@ -37,7 +37,7 @@ ynh_add_config --template="../sources/patches/main-constants.py.patch.src" --des ynh_setup_source --dest_dir="$install_dir" # Remove the patch for web.py in case visitor are allowed -if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then +if $(ynh_permission_has_user --permission=main --user=visitors); then patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch fi @@ -101,7 +101,7 @@ if [ $path = "/" ] ; then fi # -if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then +if $(ynh_permission_has_user --permission=main --user=visitors); then ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ --replace_string="# proxy_set_header X-Remote-User" \ --target_file="../conf/nginx.conf" @@ -179,7 +179,7 @@ ynh_systemd_action --service_name=$app --action="start" --line_match="Starting G #Setting the proxy authentication in case calibre is not open to visitor. #https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source #We need to update the sso login parameter, but for that the app needs to have run at least once to initialize the tables. -if [ ! $(ynh_permission_has_user --permission=main --user=visitors) ]; then +if ! $(ynh_permission_has_user --permission=main --user=visitors); then ynh_systemd_action --service_name=$app --action="stop" sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" diff --git a/scripts/upgrade b/scripts/upgrade index eb88a01..1ab7b25 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -98,7 +98,7 @@ then chown -R $app: $install_dir # Remove the patch for web.py in case visitor are allowed - if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then + if $(ynh_permission_has_user --permission=main --user=visitors); then patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch fi @@ -117,7 +117,7 @@ fi #Setting the proxy authentication in case calibre is not open to visitor. #https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source -if [ ynh_permission_has_user --permission=main --user=visitors ]; then +if $(ynh_permission_has_user --permission=main --user=visitors); then sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ --replace_string="# proxy_set_header X-Remote-User" \ From 73f313389ff21d9da18b7c3cd0016e87b4f64d4e Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 14:06:45 +0200 Subject: [PATCH 9/9] typo in sqlite3 command --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 1ab7b25..5a1765c 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -118,7 +118,7 @@ fi #Setting the proxy authentication in case calibre is not open to visitor. #https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source if $(ynh_permission_has_user --permission=main --user=visitors); then - sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID=1;" ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ --replace_string="# proxy_set_header X-Remote-User" \ --target_file="../conf/nginx.conf"