Merge pull request #100 from YunoHost-Apps/testing

0.6.18
2024-09-03 18:16:20 +02:00 · 2022-04-20 07:37:18 +02:00 · 2022-04-20 07:37:18 +02:00 · 90a2a2adb8
commit 90a2a2adb8
parent 7581a4e1de b1b28860fc
12 changed files with 124 additions and 63 deletions
--- a/README.md
+++ b/README.md
@ -17,7 +17,7 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in

 Browsing, reading and downloading eBooks using a Calibre database

-**Shipped version:** 0.6.17
+**Shipped version:** 0.6.18



--- a/README_fr.md
+++ b/README_fr.md
@ -13,7 +13,7 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour

 Explorer, lire et télécharger des eBooks à partir d'une base de données Calibre

-**Version incluse :** 0.6.17
+**Version incluse :** 0.6.18



--- a/12
+++ b/12
@ -1,4 +1,4 @@
-;; Complete Test
+;; Complete Test 
 # First Run of complete test
 	; Manifest
 		domain="domain.tld"
@ -17,9 +17,7 @@
 		setup_public=1
 		upgrade=1
 #Last version
-		upgrade=1	from_commit=79c6c4ad03f62d2ed4f4180ac6b7dac1c117a62a
-#v0.6.6
-#		upgrade=1	from_commit=11f5b96df7d8850beff47f9904745fa53a6f7ed9
+		upgrade=1	from_commit=581a4e1de5caa7aa19a64f63348b174b7602753
 		backup_restore=1
 		multi_instance=1
 		port_already_use=1 (8083)
@ -27,8 +25,4 @@
 ;;; Options
 Email=nicolas@aubonalbanais.ovh
 Notification=none
-;;; Upgrade options
-	; commit=11f5b96df7d8850beff47f9904745fa53a6f7ed9
-		name=Version 0.96.0~ynh4
-		manifest_arg=domain=DOMAIN&path=PATH&admin=USER&password=pass&is_public=1&
-		
+		
--- a/conf/app.src
+++ b/conf/app.src
@ -1,3 +1,3 @@
-SOURCE_URL=https://github.com/janeczku/calibre-web/releases/download/0.6.17/calibre-web-0.6.17.zip
-SOURCE_SUM=3560aa9f793eead98d8df053963a569fbe08ace93418b6e8e70a2831a9314733
+SOURCE_URL=https://github.com/janeczku/calibre-web/releases/download/0.6.18/calibre-web-0.6.18.zip
+SOURCE_SUM=65a267fc44629f9373a391333154b277a3fb9124031c1e20cd1b3acac939c95a
 SOURCE_FORMAT=zip
--- a/conf/systemd.service
+++ b/conf/systemd.service
@ -7,7 +7,37 @@ Type=simple
 User=__APP__
 Group=__APP__
 WorkingDirectory=__FINALPATH__/
-ExecStart=/bin/sh -c '/usr/bin/python3 __FINALPATH__/cps.py'
+ExecStart=/bin/sh -c '__FINALPATH__/venv/bin/python3 __FINALPATH__/cps.py'
+
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
+ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 

 [Install]
 WantedBy=multi-user.target
--- a/manifest.json
+++ b/manifest.json
@ -6,10 +6,10 @@
        "en": "Browsing, reading and downloading eBooks using a Calibre database",
        "fr": "Explorer, lire et télécharger des eBooks à partir d'une base de données Calibre"
    },
-    "version": "0.96.17~ynh1",
+    "version": "0.96.18~ynh1",
    "url": "https://github.com/janeczku/calibre-web",
    "upstream": {
-        "version": "0.6.17",
+        "version": "0.6.18",
        "license": "GPL-3.0-only",
        "admindoc": "https://github.com/janeczku/calibre-web/wiki",
        "code": "https://github.com/janeczku/calibre-web"
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -1,6 +1,6 @@
 #!/bin/bash

-PKG_DEPENDENCIES="sqlite3 libldap2-dev libsasl2-dev python3-dev imagemagick python3-lxml libjpeg-dev zlib1g-dev libffi-dev"
+PKG_DEPENDENCIES="sqlite3 imagemagick libldap2-dev libsasl2-dev python3-venv python3-dev python3-lxml libjpeg-dev zlib1g-dev libffi-dev"
 #PKG_DEPENDENCIES="sqlite3 python3-pip imagemagick"

 DOSSIER_MEDIA=/home/yunohost.multimedia
--- a/scripts/install
+++ b/scripts/install
@ -92,6 +92,14 @@ ynh_add_config --template="../sources/patches/app-constants.py.patch.src" --dest
 # Download, check integrity, uncompress and patch the source from app.src
 ynh_setup_source "$final_path"

+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..." --weight=1
+# Create a system user
+ynh_system_user_create --username="$app" --home_dir="$final_path" --use_shell
+
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@ -99,15 +107,28 @@ ynh_setup_source "$final_path"
 ynh_script_progression --message="Installing package dependencies..." --weight=80
 ynh_install_app_dependencies $PKG_DEPENDENCIES

-#use latest version of pip as per documentation in https://github.com/pypa/get-pip
-#cannot use helper as maintaining the checksum would be a pain in the a***
-ynh_exec_quiet curl https://bootstrap.pypa.io/get-pip.py | python3
+#Use venv to install pip requirements - Inspired from https://github.com/YunoHost-Apps/pyinventory_ynh/blob/master/scripts/install
+ynh_script_progression --message="Installing pip requirements..." --weight=70
+# Always recreate everything fresh with current python version
+if [ -d "${final_path}/venv" ] ; then
+	ynh_secure_remove "${final_path}/venv"
+fi

-ynh_script_progression --message="Installing pip requirements..." --weight=40
-pip3 install --no-cache-dir --target $final_path/vendor -r $final_path/requirements.txt
+# Skip pip because of: https://github.com/YunoHost/issues/issues/1960
+python3 -m venv --without-pip "${final_path}/venv"
+chown -R "$app:" "$final_path"
+
+#run source in a 'sub shell'
+(
+	set +o nounset
+	source "${final_path}/venv/bin/activate"
+	set -o nounset
+	ynh_exec_as $app $final_path/venv/bin/python3 -m ensurepip
+	ynh_exec_as $app $final_path/venv/bin/pip3 install --upgrade wheel pip setuptools
+	ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/requirements.txt"
+	ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/optional-requirements.txt"
+)

-ynh_script_progression --message="Installing pip additionnal requirements..." --weight=40
-pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r $final_path/optional-requirements.txt

 #=================================================
 # NGINX CONFIGURATION
@ -123,15 +144,6 @@ fi
 # Create a dedicated nginx config
 ynh_add_nginx_config

-#=================================================
-# CREATE DEDICATED USER
-#=================================================
-
-# Create a system user
-ynh_system_user_create $app
-
-chown -R $app: $final_path
-chmod 740 $final_path

 #=================================================
 # SETUP SYSTEMD
@ -195,6 +207,16 @@ ynh_replace_string --match_string="<policy domain="coder" rights="none" pattern=

 yunohost service add $app --description="Browse eBook in the web" --log="/var/log/$app/$app.log"

+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+# SECURE FILES AND DIRECTORIES
+#=================================================
+
+chown -R $app: $final_path
+chmod 740 $final_path
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -49,7 +49,7 @@ ynh_remove_systemd_config
 #=================================================

 # Remove metapackage and its dependencies
-ynh_script_progression --message="Removing Dependencies..." --weight=5
+ynh_script_progression --message="Removing Dependencies..." --weight=25
 ynh_remove_app_dependencies


--- a/scripts/restore
+++ b/scripts/restore
@ -85,13 +85,6 @@ chmod 740 $final_path
 ynh_script_progression --message="Reinstalling dependencies..." --weight=15
 ynh_install_app_dependencies $PKG_DEPENDENCIES

-#use latest version of pip as per documentation in https://github.com/pypa/get-pip
-#cannot use helper as maintaining the checksum would be a pain in the a***
-curl https://bootstrap.pypa.io/get-pip.py | python3
-
-#pip package not required as already in app directory
-#pip install --target $final_path/vendor -r $final_path/requirements.txt
-
 #=================================================
 # RESTORE SYSTEMD
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -159,6 +159,17 @@ fi
 # Create a dedicated nginx config
 ynh_add_nginx_config

+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+
+# Create a dedicated user (if not existing)
+ynh_script_progression --message="Making sure dedicated system user exists..." --weight=1
+ynh_system_user_create --username="$app" --home_dir="$final_path" --use_shell
+# Set permissions on app files (required to be able to update database)
+chown -R $app: $final_path
+
+
 #=================================================
 # UPGRADE DEPENDENCIES
 #=================================================
@ -168,26 +179,30 @@ then
 	ynh_script_progression --message="Installing package dependencies..." --weight=15
 	ynh_install_app_dependencies $PKG_DEPENDENCIES
 	
-	#use latest version of pip as per documentation in https://github.com/pypa/get-pip
-	#cannot use helper as maintaining the checksum would be a pain in the a***
-	ynh_exec_quiet curl https://bootstrap.pypa.io/get-pip.py | python3
+	#Use venv to install pip requirements - Inspired from https://github.com/YunoHost-Apps/pyinventory_ynh/blob/master/scripts/install
+	ynh_script_progression --message="Installing pip requirements..." --weight=70
+	# Always recreate everything fresh with current python version
+	if [ -d "${final_path}/venv" ] ; then
+		ynh_secure_remove "${final_path}/venv"
+	fi

-	ynh_script_progression --message="Installing pip requirements ..." --weight=30
-	pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r $final_path/requirements.txt

-	ynh_script_progression --message="Installing pip additionnal requirements..." --weight=40
-	pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r $final_path/optional-requirements.txt
+	# Skip pip because of: https://github.com/YunoHost/issues/issues/1960
+	python3 -m venv --without-pip "${final_path}/venv"
+	chown -R "$app:" "$final_path"
+
+	#run source in a 'sub shell'
+	(
+		set +o nounset
+		source "${final_path}/venv/bin/activate"
+		set -o nounset
+		ynh_exec_as $app $final_path/venv/bin/python3 -m ensurepip
+		ynh_exec_as $app $final_path/venv/bin/pip3 install --upgrade wheel pip setuptools
+		ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/requirements.txt"
+		ynh_exec_as $app $final_path/venv/bin/pip3 install --no-cache-dir --upgrade --target $final_path/vendor -r "$final_path/optional-requirements.txt"
+	)
 fi
-#=================================================
-# CREATE DEDICATED USER
-#=================================================

-# Create a dedicated user (if not existing)
-ynh_script_progression --message="Making sure dedicated system user exists..." --weight=1
-ynh_system_user_create $app
-
-# Set permissions on app files (required to be able to update database)
-chown -R $app: $final_path

 #=================================================
 # SPECIFIC UPGRADE
--- a/sources/patches/app-optional-requirements.txt.patch
+++ b/sources/patches/app-optional-requirements.txt.patch
@ -1,8 +1,8 @@
--- a/optional-requirements.txt	2022-03-06 16:10:41.000000000 +0100
-+++ b/optional-requirements.txt	2022-03-08 21:08:06.964027001 +0100
+--- a/optional-requirements.txt	2022-04-03 20:17:34.000000000 +0200
+++ b/optional-requirements.txt	2022-04-18 12:10:55.761291352 +0200
@@ -1,19 +1,5 @@
 # GDrive Integration
-google-api-python-client>=1.7.11,<2.37.0
+-google-api-python-client>=1.7.11,<2.43.0
 gevent>20.6.0,<22.0.0
 -greenlet>=0.4.17,<1.2.0
 -httplib2>=0.9.2,<0.21.0
@ -15,8 +15,8 @@
 -rsa>=3.4.2,<4.9.0
 -
 -# Gmail
-google-auth-oauthlib>=0.4.3,<0.5.0
-google-api-python-client>=1.7.11,<2.37.0
+-google-auth-oauthlib>=0.4.3,<0.6.0
+-google-api-python-client>=1.7.11,<2.43.0
 
 # goodreads
 goodreads>=0.3.2,<0.4.0
@ -30,4 +30,11 @@
 -
 # metadata extraction
 rarfile>=3.2
- scholarly>=1.2.0,<1.6
+ scholarly>=1.2.0,<1.7
+@@ -42,3 +24,6 @@
+ 
+ # Kobo integration
+ jsonschema>=3.2.0,<4.5.0
+
+#readded to avoid 2.2 from dependencies
+werkzeug<2.1.0