From 0f1dfb6cd7e0291163acd1bfac59805c8383c458 Mon Sep 17 00:00:00 2001
From: Krakinou <misterl56@hotmail.com>
Date: Sat, 5 Aug 2023 12:33:12 +0200
Subject: [PATCH] Add SSO

---
 conf/main-web.py.patch            | 15 +++++++++++++++
 conf/web.py.revert.patch          | 15 +++++++++++++++
 doc/ADMIN_fr.md                   |  1 -
 doc/PRE_INSTALL.md                |  2 ++
 doc/PRE_INSTALL_fr.md             |  4 +++-
 hooks/post_app_addaccess          |  6 ++++--
 hooks/post_app_removeaccess       |  6 ++++--
 scripts/install                   |  7 +++++--
 scripts/upgrade                   |  4 ++++
 sources/patches/main-web.py.patch |  5 +++--
 10 files changed, 55 insertions(+), 10 deletions(-)
 create mode 100644 conf/main-web.py.patch
 create mode 100644 conf/web.py.revert.patch

diff --git a/conf/main-web.py.patch b/conf/main-web.py.patch
new file mode 100644
index 0000000..bf0c4ec
--- /dev/null
+++ b/conf/main-web.py.patch
@@ -0,0 +1,15 @@
+--- a/cps/web.py	2023-03-27 19:49:57.000000000 +0200
++++ b/cps/web.py	2023-08-05 11:58:20.353503437 +0200
+@@ -1411,7 +1411,11 @@
+         if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3):
+             logout_oauth_user()
+     log.debug("User logged out")
+-    return redirect(url_for('web.login'))
++#    return redirect(url_for('web.login'))
++    if config.config_login_type == constants.LOGIN_LDAP:
++        return redirect(request.host_url + '/yunohost/sso/?action=logout')
++    else:
++        return redirect(url_for('web.login'))
+ 
+ 
+ # ################################### Users own configuration #########################################################
diff --git a/conf/web.py.revert.patch b/conf/web.py.revert.patch
new file mode 100644
index 0000000..e5da349
--- /dev/null
+++ b/conf/web.py.revert.patch
@@ -0,0 +1,15 @@
+--- ./web.py	2023-08-05 11:58:20.353503437 +0200
++++ ./web.py	2023-03-27 19:49:57.000000000 +0200
+@@ -1411,11 +1411,7 @@
+         if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3):
+             logout_oauth_user()
+     log.debug("User logged out")
+-#    return redirect(url_for('web.login'))
+-    if config.config_login_type == constants.LOGIN_LDAP:
+-        return redirect(request.host_url + '/yunohost/sso/?action=logout')
+-    else:
+-        return redirect(url_for('web.login'))
++    return redirect(url_for('web.login'))
+ 
+ 
+ # ################################### Users own configuration #########################################################
diff --git a/doc/ADMIN_fr.md b/doc/ADMIN_fr.md
index 28bf475..7532dc0 100644
--- a/doc/ADMIN_fr.md
+++ b/doc/ADMIN_fr.md
@@ -1,5 +1,4 @@
 
-
 ### Gestion de la bibliothèque
 
 * Par défaut, le processus de backup de Yunohost **archivera** la bibliothèque Calibreweb.
diff --git a/doc/PRE_INSTALL.md b/doc/PRE_INSTALL.md
index 02ff235..e8370a2 100644
--- a/doc/PRE_INSTALL.md
+++ b/doc/PRE_INSTALL.md
@@ -1,3 +1,5 @@
 If calibreweb library is set as a public library, it will be placed in `/home/yunohost.multimedia/share/eBook`  
 If not, it will be set in `/home/yunohost.multimedia/[admin]/eBook` folder.
 Library folder can always be changed manually in the application settings by the administrator.
+
+If you grant access to visitors (The application is publicly accessible on the Internet), SSO will be deactivated for security reasons.
\ No newline at end of file
diff --git a/doc/PRE_INSTALL_fr.md b/doc/PRE_INSTALL_fr.md
index 440d01c..c54049a 100644
--- a/doc/PRE_INSTALL_fr.md
+++ b/doc/PRE_INSTALL_fr.md
@@ -1,3 +1,5 @@
 Si la bibliothèque Calibreweb est paramétrée comme une bilbiothèque publique, elle sera placée dans `/home/yunohost.multimedia/share/eBook`.
 Si non, elle sera placée dans `/home/yunohost.multimedia/[admin]/eBook`.
-Le répertoire de la bibliothèque peut ensuite être déplacé directement dans l'application par l'administrateur.
\ No newline at end of file
+Le répertoire de la bibliothèque peut ensuite être déplacé directement dans l'application par l'administrateur.
+
+Si vous accorder l'accès à l'application aux visiteurs (l'application est publiquement accessible sur internet), le sso sera désactivé pour des raisons de sécurité.
\ No newline at end of file
diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess
index cdc8ca3..08f2736 100644
--- a/hooks/post_app_addaccess
+++ b/hooks/post_app_addaccess
@@ -31,6 +31,8 @@ if echo "$group" | grep visitors ; then
 
 	#Update settings in calibre database
 	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID=1;"
-#	ynh_print_info --message="Restarting Calibre-web to take new parameters into account
-#	ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30
+	#remove logout from web.py
+	patch -u /$install_dir/cps/web.py -i /etc/yunohost/apps/$app/conf/web.py.revert.patch
+	ynh_print_info --message="Restarting Calibre-web to take new parameters into account"
+	ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30
 fi
\ No newline at end of file
diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess
index 0e4383b..d0d14e9 100644
--- a/hooks/post_app_removeaccess
+++ b/hooks/post_app_removeaccess
@@ -31,6 +31,8 @@ if echo "$group" | grep visitors; then
 
 	#Update settings in calibre database
 	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;"
-#	ynh_print_info --message="Restarting Calibre-web to take new parameters into account
-#	ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30
+	#reinstate logout from web.py
+	patch -u /$install_dir/cps/web.py -i /etc/yunohost/apps/$app/conf/main-web.py.patch
+	ynh_print_info --message="Restarting Calibre-web to take new parameters into account"
+	ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30
 fi
diff --git a/scripts/install b/scripts/install
index b663706..fcaa3b0 100755
--- a/scripts/install
+++ b/scripts/install
@@ -87,14 +87,15 @@ ynh_app_setting_set $app calibre_dir $calibre_dir
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
-#Cannot use empty string for X-script-name, causes an issue in the python prg
 ynh_script_progression --message="Setting up system configuration..." --weight=5
 
-
+#Cannot use empty string for X-script-name, causes an issue in the python prg
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#nginx
 if [ $path = "/" ] ; then
 	ynh_replace_string "        proxy_set_header	X-Script-Name" "#        proxy_set_header	X-Script-Name" ../conf/nginx.conf
 fi
 
+#
 if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then
 	ynh_replace_string --match_string="        proxy_set_header	X-Remote-User" \
 	                   --replace_string="#       proxy_set_header	X-Remote-User" \
@@ -170,6 +171,8 @@ ynh_add_fail2ban_config --logpath="$log_file" --failregex="^.*LDAP Login failed
 ynh_script_progression --message="Start $app..." --weight=5
 ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" -t 30
 
+#Setting the proxy authentication in case calibre is not open to visitor. 
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source
 #We need to update the sso login parameter, but for that the app needs to have run at least once to initialize the tables.
 if [ ! $(ynh_permission_has_user --permission=main --user=visitors) ]; then
 	ynh_systemd_action --service_name=$app --action="stop"
diff --git a/scripts/upgrade b/scripts/upgrade
index f027ae8..13a6aa6 100755
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -103,10 +103,14 @@ fi
 #=================================================
 
 ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=5
+#Cannot use empty string for X-script-name, causes an issue in the python prg
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#nginx
 if [ $path = "/" ] ; then
 	ynh_replace_string "        proxy_set_header	X-Script-Name" "#       proxy_set_header	X-Script-Name" ../conf/nginx.conf
 fi
 
+#Setting the proxy authentication in case calibre is not open to visitor. 
+#https://github.com/janeczku/calibre-web/wiki/Setup-Reverse-Proxy#login-via-header-from-upstream-authentication-source
 if [ ynh_permission_has_user --permission=main --user=visitors ]; then
 	sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;"
 	ynh_replace_string --match_string="        proxy_set_header	X-Remote-User" \
diff --git a/sources/patches/main-web.py.patch b/sources/patches/main-web.py.patch
index 3386aba..bf0c4ec 100644
--- a/sources/patches/main-web.py.patch
+++ b/sources/patches/main-web.py.patch
@@ -1,10 +1,11 @@
 --- a/cps/web.py	2023-03-27 19:49:57.000000000 +0200
-+++ b/cps/web.py	2023-08-05 11:05:36.703730438 +0200
-@@ -1411,7 +1411,10 @@
++++ b/cps/web.py	2023-08-05 11:58:20.353503437 +0200
+@@ -1411,7 +1411,11 @@
          if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3):
              logout_oauth_user()
      log.debug("User logged out")
 -    return redirect(url_for('web.login'))
++#    return redirect(url_for('web.login'))
 +    if config.config_login_type == constants.LOGIN_LDAP:
 +        return redirect(request.host_url + '/yunohost/sso/?action=logout')
 +    else: