From a15211390fe47f24d60c770c8778a104ddfc9937 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Aug 2023 11:09:56 +0200 Subject: [PATCH] Add SSO --- hooks/post_app_addaccess | 34 +++++++++++++++-------- hooks/post_app_removeaccess | 46 +++++++++++++++++-------------- hooks/post_user_delete | 8 +++--- scripts/install | 15 ++++++++++ scripts/upgrade | 10 +++++++ sources/patches/main-web.py.patch | 14 ++++++++++ 6 files changed, 91 insertions(+), 36 deletions(-) create mode 100644 sources/patches/main-web.py.patch diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess index 8395394..f0dc07c 100644 --- a/hooks/post_app_addaccess +++ b/hooks/post_app_addaccess @@ -7,20 +7,30 @@ users=$2 permission=$3 group=$4 -#Si le groupe visitors a été affecté à calibreweb +#Visitor group has been revomed => app is public if echo "$group" | grep visitors ; then - if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep " proxy_set_header X-Remote-User"; then - domain=$(ynh_app_setting_get --app=$app --key=domain) - path=$(ynh_app_setting_get --app=$app --key=path) - port=$(ynh_app_setting_get --app=$app --key=port) + #loading settings from the app + domain=$(ynh_app_setting_get --app=$app --key=domain) + path=$(ynh_app_setting_get --app=$app --key=path) + port=$(ynh_app_setting_get --app=$app --key=port) + install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) - touch ../manifest.toml + #otherwise ynh_add_config complain about manifest + touch ../manifest.toml - ynh_replace_string --match_string=" proxy_set_header X-Remote-User" --replace_string="# proxy_set_header X-Remote-User" --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" - ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" --destination="/etc/nginx/conf.d/$domain.d/$app.conf" - ynh_systemd_action --service_name=nginx --action=reload - - rm ../manifest.toml - fi + #reset a new conf file and move it to nginx + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ + --replace_string="# proxy_set_header X-Remote-User" \ + --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" + ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \ + --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_systemd_action --service_name=nginx --action=reload + + rm ../manifest.toml + + #Update settings in calibre database + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" +# ynh_print_info --message="Restarting Calibre-web to take new parameters into account +# ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess index 84170cf..0e4383b 100644 --- a/hooks/post_app_removeaccess +++ b/hooks/post_app_removeaccess @@ -7,24 +7,30 @@ users=$2 permission=$3 group=$4 +#Visitor group has been revomed => app is private if echo "$group" | grep visitors; then - if tail /etc/yunohost/apps/$app/conf/nginx.conf | grep "# proxy_set_header X-Remote-User"; then - - domain = $(ynh_app_setting_get --app=$app --key=domain) - path = $(ynh_app_setting_get --app=$app --key=path) - port = $(ynh_app_setting_get --app=$app --key=port) - - touch ../manifest.toml - - ynh_replace_string --match_string="# proxy_set_header X-Remote-User" \ - --replace_string=" proxy_set_header X-Remote-User" \ - --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" - - ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \ - --destination="/etc/nginx/conf.d/$domain.d/$app.conf" - - ynh_systemd_action --service_name=nginx --action=reload - - rm ../manifest.toml - fi -fi \ No newline at end of file + + #loading settings from the app + domain=$(ynh_app_setting_get --app=$app --key=domain) + path=$(ynh_app_setting_get --app=$app --key=path) + port=$(ynh_app_setting_get --app=$app --key=port) + install_dir=$(ynh_app_setting_get --app=$app --key=install_dir) + + #otherwise ynh_add_config complain about manifest + touch ../manifest.toml + + #reset a new conf file and move it to nginx + ynh_replace_string --match_string="# proxy_set_header X-Remote-User" \ + --replace_string=" proxy_set_header X-Remote-User" \ + --target_file="/etc/yunohost/apps/$app/conf/nginx.conf" + ynh_add_config --template="/etc/yunohost/apps/$app/conf/nginx.conf" \ + --destination="/etc/nginx/conf.d/$domain.d/$app.conf" + ynh_systemd_action --service_name=nginx --action=reload + + rm ../manifest.toml + + #Update settings in calibre database + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" +# ynh_print_info --message="Restarting Calibre-web to take new parameters into account +# ynh_systemd_action --service_name=$app --action=restart --line_match="Starting Gevent server on" -t 30 +fi diff --git a/hooks/post_user_delete b/hooks/post_user_delete index 03d072a..ee058ff 100644 --- a/hooks/post_user_delete +++ b/hooks/post_user_delete @@ -8,7 +8,7 @@ app=${app:3} source /etc/yunohost/apps/$app/scripts/_common.sh username=$1 -final_path=$(ynh_app_setting_get $app final_path) +install_dir=$(ynh_app_setting_get $app install_dir) del_tables_user="book_read_link remote_auth_token downloads shelf bookmark" del_tables_shelf="book_shelf_link" @@ -16,12 +16,12 @@ del_id() { #$1=table #$2=id_type #$3=id - sqlite3 $final_path/app.db "DELETE FROM $1 WHERE $2='$3'" + sqlite3 $install_dir/app.db "DELETE FROM $1 WHERE $2='$3'" } -user_id=$(sqlite3 $final_path/app.db "SELECT id from user WHERE nickname='$username'") -shelf_id=$(sqlite3 $final_path/app.db "SELECT id from shelf WHERE user_id='$user_id'") +user_id=$(sqlite3 $install_dir/app.db "SELECT id from user WHERE nickname='$username'") +shelf_id=$(sqlite3 $install_dir/app.db "SELECT id from shelf WHERE user_id='$user_id'") #Delete all entry with dependencies for user #pas de check sur l'existence de l'utilisateur car fonctionne sans diff --git a/scripts/install b/scripts/install index f70331b..b663706 100755 --- a/scripts/install +++ b/scripts/install @@ -95,6 +95,12 @@ if [ $path = "/" ] ; then ynh_replace_string " proxy_set_header X-Script-Name" "# proxy_set_header X-Script-Name" ../conf/nginx.conf fi +if [ $(ynh_permission_has_user --permission=main --user=visitors) ]; then + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ + --replace_string="# proxy_set_header X-Remote-User" \ + --target_file="../conf/nginx.conf" +fi + # Create a dedicated nginx config ynh_add_nginx_config @@ -123,6 +129,8 @@ ynh_replace_string --match_string="" \ --target_file="/etc/ImageMagick-6/policy.xml" + + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= @@ -162,6 +170,13 @@ ynh_add_fail2ban_config --logpath="$log_file" --failregex="^.*LDAP Login failed ynh_script_progression --message="Start $app..." --weight=5 ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" -t 30 +#We need to update the sso login parameter, but for that the app needs to have run at least once to initialize the tables. +if [ ! $(ynh_permission_has_user --permission=main --user=visitors) ]; then + ynh_systemd_action --service_name=$app --action="stop" + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" + ynh_systemd_action --service_name=$app --action="start" --line_match="Starting Gevent server on" +fi + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index e82ff81..f027ae8 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -106,6 +106,16 @@ ynh_script_progression --message="Upgrading nginx web server configuration..." - if [ $path = "/" ] ; then ynh_replace_string " proxy_set_header X-Script-Name" "# proxy_set_header X-Script-Name" ../conf/nginx.conf fi + +if [ ynh_permission_has_user --permission=main --user=visitors ]; then + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='', config_allow_reverse_proxy_header_login=0 WHERE ID)1;" + ynh_replace_string --match_string=" proxy_set_header X-Remote-User" \ + --replace_string="# proxy_set_header X-Remote-User" \ + --target_file="../conf/nginx.conf" +else + sqlite3 $install_dir/app.db "UPDATE settings SET config_reverse_proxy_login_header_name='X-Remote-User', config_allow_reverse_proxy_header_login=1 WHERE ID=1;" +fi + # Create a dedicated nginx config ynh_add_nginx_config diff --git a/sources/patches/main-web.py.patch b/sources/patches/main-web.py.patch new file mode 100644 index 0000000..3386aba --- /dev/null +++ b/sources/patches/main-web.py.patch @@ -0,0 +1,14 @@ +--- a/cps/web.py 2023-03-27 19:49:57.000000000 +0200 ++++ b/cps/web.py 2023-08-05 11:05:36.703730438 +0200 +@@ -1411,7 +1411,10 @@ + if feature_support['oauth'] and (config.config_login_type == 2 or config.config_login_type == 3): + logout_oauth_user() + log.debug("User logged out") +- return redirect(url_for('web.login')) ++ if config.config_login_type == constants.LOGIN_LDAP: ++ return redirect(request.host_url + '/yunohost/sso/?action=logout') ++ else: ++ return redirect(url_for('web.login')) + + + # ################################### Users own configuration #########################################################