Merge pull request #129 from YunoHost-Apps/add_sso_v2

Add sso v2
2024-09-03 18:16:20 +02:00 · 2023-08-05 14:19:13 +02:00 · 2023-08-05 14:19:13 +02:00 · 0692d01948
commit 0692d01948
parent 7f6020a30c 73f313389f
12 changed files with 176 additions and 9 deletions
--- a/conf/main-web.py.patch
+++ b/conf/main-web.py.patch
@ -0,0 +1,15 @@
+--- a/cps/web.py	2023-03-27 19:49:57.000000000 +0200
+++ b/cps/web.py	2023-08-05 11:58:20.353503437 +0200
+@@ -1411,7 +1411,11 @@
+         if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3):
+             logout_oauth_user()
+     log.debug("User logged out")
+-    return redirect(url_for('web.login'))
+#    return redirect(url_for('web.login'))
+    if config.config_login_type == constants.LOGIN_LDAP:
+        return redirect(request.host_url + '/yunohost/sso/?action=logout')
+    else:
+        return redirect(url_for('web.login'))
+ 
+ 
+ # ################################### Users own configuration #########################################################
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -15,7 +15,7 @@ location __PATH__ {
        proxy_set_header	X-Forwarded-For	$proxy_add_x_forwarded_for;
        proxy_set_header	X-Scheme				$scheme;
        proxy_set_header	X-Script-Name		__PATH__;
-#        proxy_set_header	X-Remote-User		$remote_user;
+        proxy_set_header	X-Remote-User		$remote_user;
        
  # Include SSOWAT user panel.
  include conf.d/yunohost_panel.conf.inc;
--- a/conf/web.py.revert.patch
+++ b/conf/web.py.revert.patch
@ -0,0 +1,15 @@
+--- ./web.py	2023-08-05 11:58:20.353503437 +0200
+++ ./web.py	2023-03-27 19:49:57.000000000 +0200
+@@ -1411,11 +1411,7 @@
+         if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3):
+             logout_oauth_user()
+     log.debug("User logged out")
+-#    return redirect(url_for('web.login'))
+-    if config.config_login_type == constants.LOGIN_LDAP:
+-        return redirect(request.host_url + '/yunohost/sso/?action=logout')
+-    else:
+-        return redirect(url_for('web.login'))
+    return redirect(url_for('web.login'))
+ 
+ 
+ # ################################### Users own configuration #########################################################
--- a/doc/ADMIN_fr.md
+++ b/doc/ADMIN_fr.md
@ -1,5 +1,4 @@

-
 ### Gestion de la bibliothèque

 * Par défaut, le processus de backup de Yunohost **archivera** la bibliothèque Calibreweb.
--- a/doc/PRE_INSTALL.md
+++ b/doc/PRE_INSTALL.md
@ -1,3 +1,5 @@
 If calibreweb library is set as a public library, it will be placed in `/home/yunohost.multimedia/share/eBook`  
 If not, it will be set in `/home/yunohost.multimedia/[admin]/eBook` folder.
 Library folder can always be changed manually in the application settings by the administrator.
+
+If you grant access to visitors (The application is publicly accessible on the Internet), SSO will be deactivated for security reasons.
--- a/doc/PRE_INSTALL_fr.md
+++ b/doc/PRE_INSTALL_fr.md
@ -1,3 +1,5 @@
 Si la bibliothèque Calibreweb est paramétrée comme une bilbiothèque publique, elle sera placée dans `/home/yunohost.multimedia/share/eBook`.
 Si non, elle sera placée dans `/home/yunohost.multimedia/[admin]/eBook`.
 Le répertoire de la bibliothèque peut ensuite être déplacé directement dans l'application par l'administrateur.
+
+Si vous accorder l'accès à l'application aux visiteurs (l'application est publiquement accessible sur internet), le sso sera désactivé pour des raisons de sécurité.
--- a/hooks/post_app_addaccess
+++ b/hooks/post_app_addaccess
@ -0,0 +1,38 @@
+#!/bin/bash
+# Source YunoHost helpers
+source /usr/share/yunohost/helpers
+
+app=$1
+users=$2
+permission=$3
+group=$4
+
+#Visitor group has been revomed => app is public
+if [ $(echo "$group" | grep visitors) ] && [ $permission = "main" ]; then
+
+	#loading settings from the app
+	domain=$(ynh_app_setting_get --app=$app --key=domain)
+	path=$(ynh_app_setting_get --app=$app --key=path)
+	port=$(ynh_app_setting_get --app=$app --key=port)
+	install_dir=$(ynh_app_setting_get --app=$app --key=install_dir)
+
+	#otherwise ynh_add_config complain about manifest
+	touch ../manifest.toml
+
+	#reset a new conf file and move it to nginx
+	ynh_replace_string --match_string="        proxy_set_header	X-Remote-User" \
+	                   --replace_string="#       proxy_set_header	X-Remote-User" \
+	                   --target_file="/etc/yunohost/apps/$app/conf/nginx.conf"
+	ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \
+	               --destination="/etc/nginx/conf.d/$domain.d/$app.conf"
+	ynh_systemd_action --service_name=nginx --action=reload
+
+	rm ../manifest.toml
+
+	#Update settings in calibre database
+	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID=1;"
+	#remove logout from web.py
+	patch -u /$install_dir/cps/web.py -i /etc/yunohost/apps/$app/conf/web.py.revert.patch
+	ynh_print_info --message="Restarting Calibre-web to take new parameters into account"
+	ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30
+fi
--- a/hooks/post_app_removeaccess
+++ b/hooks/post_app_removeaccess
@ -0,0 +1,38 @@
+#!/bin/bash
+# Source YunoHost helpers
+source /usr/share/yunohost/helpers
+
+app=$1
+users=$2
+permission=$3
+group=$4
+
+#Visitor group has been revomed => app is private
+if [ $(echo "$group" | grep visitors) ] && [ $permission = "main" ]; then
+
+	#loading settings from the app
+	domain=$(ynh_app_setting_get --app=$app --key=domain)
+	path=$(ynh_app_setting_get --app=$app --key=path)
+	port=$(ynh_app_setting_get --app=$app --key=port)
+	install_dir=$(ynh_app_setting_get --app=$app --key=install_dir)
+
+	#otherwise ynh_add_config complain about manifest
+	touch ../manifest.toml
+
+	#reset a new conf file and move it to nginx
+	ynh_replace_string --match_string="#       proxy_set_header	X-Remote-User" \
+                       --replace_string="        proxy_set_header	X-Remote-User" \
+                       --target_file="/etc/yunohost/apps/$app/conf/nginx.conf"
+	ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \
+	               --destination="/etc/nginx/conf.d/$domain.d/$app.conf"
+	ynh_systemd_action --service_name=nginx --action=reload
+
+	rm ../manifest.toml
+
+	#Update settings in calibre database
+	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;"
+	#reinstate logout from web.py
+	patch -u /$install_dir/cps/web.py -i /etc/yunohost/apps/$app/conf/main-web.py.patch
+	ynh_print_info --message="Restarting Calibre-web to take new parameters into account"
+	ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30
+fi
--- a/hooks/post_user_delete
+++ b/hooks/post_user_delete
@ -8,7 +8,7 @@ app=${app:3}
 source /etc/yunohost/apps/$app/scripts/_common.sh

 username=$1
-final_path=$(ynh_app_setting_get $app final_path)
+install_dir=$(ynh_app_setting_get $app install_dir)
 del_tables_user="book_read_link remote_auth_token downloads shelf bookmark"
 del_tables_shelf="book_shelf_link"

@ -16,12 +16,12 @@ del_id() {
        #$1=table
        #$2=id_type
        #$3=id
-        sqlite3 $final_path/app.db "DELETE FROM $1 WHERE $2='$3'" 
+        sqlite3 $install_dir/app.db "DELETE FROM $1 WHERE $2='$3'" 
 }


-user_id=$(sqlite3 $final_path/app.db "SELECT id from user WHERE nickname='$username'")
-shelf_id=$(sqlite3 $final_path/app.db "SELECT id from shelf WHERE user_id='$user_id'")
+user_id=$(sqlite3 $install_dir/app.db "SELECT id from user WHERE nickname='$username'")
+shelf_id=$(sqlite3 $install_dir/app.db "SELECT id from shelf WHERE user_id='$user_id'")

 #Delete all entry with dependencies for user
 #pas de check sur l'existence de l'utilisateur car fonctionne sans
--- a/scripts/install
+++ b/scripts/install
@ -36,6 +36,11 @@ ynh_add_config --template="../sources/patches/main-constants.py.patch.src" --des
 # Download, check integrity, uncompress and patch the source from app.src
 ynh_setup_source --dest_dir="$install_dir"

+# Remove the patch for web.py in case visitor are allowed
+if $(ynh_permission_has_user --permission=main --user=visitors); then
+	patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch
+fi
+
 #install kepubify converter
 ynh_script_progression --message="Installing kepubify..." --weight=1
 ynh_setup_source --dest_dir="/opt/kepubify" --source_id="kepubify"
@ -87,14 +92,21 @@ ynh_app_setting_set $app calibre_dir $calibre_dir
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
-#Cannot use empty string for X-script-name, causes an issue in the python prg
 ynh_script_progression --message="Setting up system configuration..." --weight=5

-
+#Cannot use empty string for X-script-name, causes an issue in the python prg
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#nginx
 if [ $path = "/" ] ; then
 	ynh_replace_string "        proxy_set_header	X-Script-Name" "#        proxy_set_header	X-Script-Name" ../conf/nginx.conf
 fi

+#
+if $(ynh_permission_has_user --permission=main --user=visitors); then
+	ynh_replace_string --match_string="        proxy_set_header	X-Remote-User" \
+	                   --replace_string="#       proxy_set_header	X-Remote-User" \
+	                   --target_file="../conf/nginx.conf"
+fi
+
 # Create a dedicated nginx config
 ynh_add_nginx_config

@ -123,6 +135,8 @@ ynh_replace_string --match_string="<policy domain="coder" rights="none" pattern=
 		--replace_string="<policy domain="coder" rights="read" pattern="PDF" />" \
 		--target_file="/etc/ImageMagick-6/policy.xml"

+
+
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
@ -162,6 +176,15 @@ ynh_add_fail2ban_config --logpath="$log_file" --failregex="^.*LDAP Login failed
 ynh_script_progression --message="Start $app..." --weight=5
 ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" -t 30

+#Setting the proxy authentication in case calibre is not open to visitor. 
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source
+#We need to update the sso login parameter, but for that the app needs to have run at least once to initialize the tables.
+if ! $(ynh_permission_has_user --permission=main --user=visitors); then
+	ynh_systemd_action --service_name=$app --action="stop"
+	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;"
+	ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on"
+fi
+
 #=================================================
 # END OF SCRIPT
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -93,6 +93,12 @@ then
 	# Download, check integrity, uncompress and patch the source from app.src
 	ynh_setup_source --dest_dir="$install_dir"
 	chown -R $app: $install_dir
+	
+	# Remove the patch for web.py in case visitor are allowed
+	if $(ynh_permission_has_user --permission=main --user=visitors); then
+		patch -u /$install_dir/cps/web.py -i ../conf/web.py.revert.patch
+	fi
+	
 fi

 #=================================================
@ -100,9 +106,23 @@ fi
 #=================================================

 ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=5
+#Cannot use empty string for X-script-name, causes an issue in the python prg
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#nginx
 if [ $path = "/" ] ; then
 	ynh_replace_string "        proxy_set_header	X-Script-Name" "#       proxy_set_header	X-Script-Name" ../conf/nginx.conf
 fi
+
+#Setting the proxy authentication in case calibre is not open to visitor. 
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source
+if $(ynh_permission_has_user --permission=main --user=visitors); then
+	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID=1;"
+	ynh_replace_string --match_string="        proxy_set_header	X-Remote-User" \
+	                   --replace_string="#       proxy_set_header	X-Remote-User" \
+	                   --target_file="../conf/nginx.conf"
+else
+	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;"
+fi
+
 # Create a dedicated nginx config
 ynh_add_nginx_config

--- a/sources/patches/main-web.py.patch
+++ b/sources/patches/main-web.py.patch
@ -0,0 +1,15 @@
+--- a/cps/web.py	2023-03-27 19:49:57.000000000 +0200
+++ b/cps/web.py	2023-08-05 11:58:20.353503437 +0200
+@@ -1411,7 +1411,11 @@
+         if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3):
+             logout_oauth_user()
+     log.debug("User logged out")
+-    return redirect(url_for('web.login'))
+#    return redirect(url_for('web.login'))
+    if config.config_login_type == constants.LOGIN_LDAP:
+        return redirect(request.host_url + '/yunohost/sso/?action=logout')
+    else:
+        return redirect(url_for('web.login'))
+ 
+ 
+ # ################################### Users own configuration #########################################################