Use sandbox domain and upgrade to v5.1.0

Co-authored-by: Éric Gaspar <46165813+ericgaspar@users.noreply.github.com>
2024-09-03 18:26:14 +02:00 · 2022-12-09 17:01:27 +00:00 · 2022-12-09 17:01:27 +00:00 · 16ecb70d87
commit 16ecb70d87
parent 3f627932fb
10 changed files with 245 additions and 27 deletions
--- a/README.md
+++ b/README.md
@ -30,7 +30,14 @@ CryptPad is a collaboration suite that is end-to-end-encrypted and open-source.

 ## Configuration

-Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
+Once CryptPad is installed.
+
+We have created for you the mandatory sandbox domain.
+You still need to install the certificate for it.
+So first, hit the diagnosis page so we make sure your DNS configuration is correct.
+Then, go into your domain SSL configuration to generate your Let's Encrypt certificate. 
+
+Create an account via the Register button on the home page. To make this account an instance administrator:

 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
 2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder):
--- a/5
+++ b/5
@ -13,6 +13,8 @@
 		upgrade=1
 		#4.10.0
 		upgrade=1	from_commit=2a54cd03f90c93b07150a64644ffc7f208110a18
+		#4.12.0
+		upgrade=1	from_commit=1e36039893dc35533b320257ca7f93ef1d07a164
 		backup_restore=1
 		multi_instance=0
 		port_already_use=0
@ -23,3 +25,6 @@ Notification=none
 ;;; Upgrade options
 	; commit=2a54cd03f90c93b07150a64644ffc7f208110a18
 		name=update to 4.10.0
+;;; Upgrade options
+	; commit=1e36039893dc35533b320257ca7f93ef1d07a164
+		name=update to 4.12.0
--- a/conf/app.src
+++ b/conf/app.src
@ -1,6 +1,6 @@
-SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/4.11.0.tar.gz
-SOURCE_SUM=e529b484c297f73227f991971189c51f64da1ab53fc78334d1fb08e320d4385e
+SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/5.1.0.tar.gz
+SOURCE_SUM=e8971f8a6439958e8328a8433a696e5ae3915740c5f93cfce9a13776edd83084
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=cryptpad.tar.gz
+SOURCE_FILENAME=cryptpad.tar.gz
--- a/conf/config.js
+++ b/conf/config.js
@ -72,7 +72,7 @@ module.exports = {
 *
 *  CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS.
 */
-    // httpSafeOrigin: "https://some-other-domain.xyz",
+    httpSafeOrigin: "https://sandbox-__DOMAIN__",

 /*  httpAddress specifies the address on which the nodejs server
 *  should be accessible. By default it will listen on 127.0.0.1
@ -325,4 +325,4 @@ module.exports = {
     *
     */
    installMethod: 'unspecified',
-};
+};
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -1,19 +1,94 @@
-#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
-location __PATH__/ {
-
-  proxy_pass http://127.0.0.1:__PORT__;
-  proxy_redirect    off;
-  proxy_set_header  Host $host;
-  proxy_set_header  X-Real-IP $remote_addr;
-  proxy_set_header  X-Forwarded-Proto $scheme;
-  proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header  X-Forwarded-Host $server_name;
-
-  proxy_http_version 1.1;
-  proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "upgrade";
-
-  # Include SSOWAT user panel.
-  include conf.d/yunohost_panel.conf.inc;
-  more_clear_input_headers 'Accept-Encoding';
+set $main_domain "__DOMAIN__";
+set $sandbox_domain "sandbox-__DOMAIN__";
+set $allowed_origins "https://${sandbox_domain}";
+set $api_domain "__DOMAIN__";
+set $files_domain "__DOMAIN__";
+ssl_ecdh_curve secp384r1;
+more_set_headers "Strict-Transport-Security: 'max-age=31536000; includeSubDomains' always";
+more_set_headers "X-XSS-Protection: '1; mode=block'";
+more_set_headers "X-Content-Type-Options: nosniff";
+more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
+more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
+more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
+root /var/www/cryptpad;
+index index.html;
+error_page 404 /customize.dist/404.html;
+if ($uri ~ ^(\/|.*\/|.*\.html)$) {
+    set $cacheControl no-cache;
 }
+if ($args ~ ver=) {
+    set $cacheControl max-age=31536000;
+}
+more_set_headers "Cache-Control: $cacheControl";
+set $styleSrc   "'unsafe-inline' 'self' https://${main_domain}";
+set $connectSrc "'self' blob: https://${main_domain} https://${sandbox_domain} wss://${main_domain}";
+set $fontSrc    "'self' data: https://${main_domain}";
+set $imgSrc     "'self' data: blob: https://${main_domain}";
+set $frameSrc   "'self' https://${sandbox_domain} blob:";
+set $mediaSrc   "blob:";
+set $childSrc   "https://${main_domain}";
+set $workerSrc  "'self'";
+set $scriptSrc  "'self' resource: https://${main_domain}";
+set $frameAncestors "'self' https://${main_domain}";
+set $unsafe 0;
+if ($uri ~ ^\/(sheet|doc|presentation)\/inner.html.*$) { set $unsafe 1; }
+if ($uri ~ ^\/common\/onlyoffice\/.*\/.*\.html.*$) { set $unsafe 1; }
+if ($host != $sandbox_domain) { set $unsafe 0; }
+if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }
+if ($unsafe) {
+    set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
+}
+more_set_headers "Content-Security-Policy: default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";
+location ^~ /cryptpad_websocket {
+    proxy_pass http://localhost:3000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection upgrade;
+}
+location ^~ /customize.dist/ {
+    # This is needed in order to prevent infinite recursion between /customize/ and the root
+}
+location ^~ /customize/ {
+    rewrite ^/customize/(.*)$ $1 break;
+    try_files /customize/$uri /customize.dist/$uri;
+}
+location ~ ^/api/.*$ {
+    proxy_pass http://localhost:3000;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header Host $host;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_hide_header Cross-Origin-Resource-Policy;
+    more_set_headers "Cross-Origin-Resource-Policy: cross-origin";
+    proxy_hide_header Cross-Origin-Embedder-Policy;
+    more_set_headers "Cross-Origin-Embedder-Policy: require-corp";
+}
+location ^~ /blob/ {
+    if ($request_method = 'OPTIONS') {
+        more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
+        more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
+        more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'";
+        more_set_headers "Access-Control-Max-Age: 1728000";
+        more_set_headers "Content-Type: 'application/octet-stream; charset=utf-8'";
+        more_set_headers "Content-Length: 0";
+        return 204;
+    }
+    more_set_headers "X-Content-Type-Options: nosniff";
+    more_set_headers "Cache-Control: max-age=31536000'";
+    more_set_headers "Access-Control-Allow-Origin: '${allowed_origins}'";
+    more_set_headers "Access-Control-Allow-Methods: 'GET, POST, OPTIONS'";
+    more_set_headers "Access-Control-Allow-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'";
+    more_set_headers "Access-Control-Expose-Headers: 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Content-Length'";
+    try_files $uri =404;
+}
+location ^~ /block/ {
+    more_set_headers "X-Content-Type-Options: nosniff";
+    more_set_headers "Cache-Control: max-age=0";
+    try_files $uri =404;
+}
+location ~ ^/(register|login|settings|user|pad|drive|poll|slide|code|whiteboard|file|media|profile|contacts|todo|filepicker|debug|kanban|sheet|support|admin|notifications|teams|calendar|presentation|doc|form|report|convert|checkup)$ {
+    rewrite ^(.*)$ $1/ redirect;
+}
+try_files /customize/www/$uri /customize/www/$uri/index.html /www/$uri /www/$uri/index.html /customize/$uri;
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -4,7 +4,7 @@
 # COMMON VARIABLES
 #=================================================

-nodejs_version="14"
+nodejs_version="16.14.2"

 #=================================================
 # PERSONAL HELPERS
--- a/scripts/install
+++ b/scripts/install
@ -66,6 +66,16 @@ ynh_app_setting_set --app=$app --key=port --value=$port
 porti=$(ynh_find_port --port=$(($port + 1)))
 ynh_app_setting_set --app=$app --key=porti --value=$porti

+#=================================================
+# CREATE A SANDBOX DOMAIN
+#=================================================
+sandboxdomain=sandbox-$domain
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	yunohost domain add $sandboxdomain
+	yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0"
+fi
+
 #=================================================
 # INSTALL DEPENDENCIES
 #=================================================
@ -131,6 +141,8 @@ pushd "$final_path"
 	ynh_exec_warn_less npm install --allow-root
 	ynh_exec_warn_less npm install -g bower
 	ynh_exec_warn_less bower install --allow-root
+	ynh_exec_warn_less bower update --allow-root
+	ynh_exec_warn_less npm run build
 popd

 #=================================================
@ -161,6 +173,36 @@ then
 	ynh_permission_update --permission="main" --add="visitors"
 fi

+# We authorize access to sandbox domain
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true
+	# there is a bug in core that add a slash at the end of domain in ssowat conf for uris var
+	# so we use ${sandboxdomain%/} to remove the eccessive trailing slash # it doesnt work
+	# we use jq to correct /etc/ssowat/conf.json
+	uri2=$sandboxdomain
+	touch /etc/ssowat/conf.json.persistent
+	cat /etc/ssowat/conf.json | jq --arg uri2 "$uri2" '(.permissions[] | select(.label=="CryptPad") | .uris[1]) |=$uri2' >> /etc/ssowat/conf.json.persistent
+fi
+
+#=================================================
+# APPLY FOLDER RIGHTS
+#=================================================
+chgrp -R www-data $final_path
+
+#=================================================
+# COPY NGINX CONF IN SANDBOX DOMAIN
+#=================================================
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf"
+fi
+
+#=================================================
+# RELOAD YUNOHOST-API to refresh web admin domains after domain creation (normal?)
+#=================================================
+ynh_systemd_action --service_name=yunohost-api --action=reload
+
 #=================================================
 # RELOAD NGINX
 #=================================================
@ -175,9 +217,10 @@ ynh_script_progression --message="Sending a readme for the admin..." --weight=1

 message="CryptPad was successfully installed :)

-Please open your $app domain: https://$domain$path_url
+We have added a sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it.

-Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
+Then you can please open your $app domain: https://$domain$path_url
+Create an account via the Register button on the home page. To make this account an instance administrator:

 1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
 2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder):
--- a/scripts/remove
+++ b/scripts/remove
@ -64,6 +64,29 @@ ynh_script_progression --message="Removing dependencies..." --weight=3

 ynh_remove_nodejs

+#=================================================
+# REMOVE SANDBOX DOMAIN
+#=================================================
+ynh_script_progression --message="Removing sandbox domain..." --weight=1
+
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	sandboxdomain=sandbox-$domain
+		
+	if yunohost domain list | grep -q $sandboxdomain
+	then #if domain exist we remove it
+		yunohost domain remove $sandboxdomain
+		# we clean the nginx configuration we added
+		ynh_secure_remove --file="/etc/nginx/conf.d/$sandboxdomain.d/"
+	fi
+fi
+
+
+#=================================================
+# RELOAD YUNOHOST-API to refresh web admin domains after domain creation (bug core?)
+#=================================================
+#ynh_systemd_action --service_name=yunohost-api --action=reload
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -68,6 +68,11 @@ chmod -R o-rwx "$final_path"
 chown -R $app:$app "$final_path"
 chmod 600 "$final_path/config/config.js"

+#=================================================
+# APPLY FOLDER GROUP RIGHTS FOR WWW-DATA
+#=================================================
+chgrp -R www-data $final_path
+
 #=================================================
 # REINSTALL DEPENDENCIES
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -97,6 +97,21 @@ then
 	chown -R $app:$app "$final_path"
 fi

+#=================================================
+# APPLY FOLDER GROUP RIGHTS FOR WWW-DATA
+#=================================================
+chgrp -R www-data $final_path
+
+#=================================================
+# CREATE A SANDBOX DOMAIN
+#=================================================
+sandboxdomain=sandbox-$domain
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	yunohost domain add $sandboxdomain
+	yunohost domain config set $sandboxdomain -a "mail_in=0&mail_out=0"
+fi
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -122,6 +137,7 @@ pushd "$final_path"
 	ynh_exec_warn_less npm install -g bower
 	ynh_exec_warn_less bower update --allow-root
 	ynh_exec_warn_less npm i
+	ynh_exec_warn_less npm run build
 popd

 #=================================================
@ -142,6 +158,11 @@ ynh_script_progression --message="Integrating service in YunoHost..." --weight=1

 yunohost service add $app --description="Zero Knowledge realtime collaborative editor" --log="/var/log/$app/$app.log"

+#=================================================
+# ADD UPGRADED CONFIG WITH SANDBOX
+#=================================================
+ynh_add_config --template="../conf/config.js" --destination="$final_path/config/config.js"
+
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
@ -149,6 +170,26 @@ ynh_script_progression --message="Starting a systemd service..." --weight=1

 ynh_systemd_action --service_name=$app --action="start" --log_path=systemd --line_match="server available"

+#=================================================
+# COPY NGINX CONF IN SANDBOX DOMAIN
+#=================================================
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_add_config --template="/etc/nginx/conf.d/$domain.d/cryptpad.conf" --destination="/etc/nginx/conf.d/$sandboxdomain.d/cryptpad.conf"
+fi
+
+# We authorize access to sandbox domain
+# We don't test that in CI
+if ! [ ${PACKAGE_CHECK_EXEC:-0} -eq 1 ]; then
+	ynh_permission_url --permission="main" --add_url=$sandboxdomain --auth_header=true
+	# there is a bug in core that add a slash at the end of domain in ssowat conf for uris var
+	# so we use ${sandboxdomain%/} to remove the eccessive trailing slash # it doesnt work
+	# we use jq to correct /etc/ssowat/conf.json
+	uri2=$sandboxdomain
+	touch /etc/ssowat/conf.json.persistent
+	cat /etc/ssowat/conf.json | jq --arg uri2 "$uri2" '(.permissions[] | select(.label=="CryptPad") | .uris[1]) |=$uri2' >> /etc/ssowat/conf.json.persistent
+fi
+
 #=================================================
 # RELOAD NGINX
 #=================================================
@ -156,6 +197,25 @@ ynh_script_progression --message="Reloading NGINX web server..." --weight=1

 ynh_systemd_action --service_name=nginx --action=reload

+#=================================================
+# SEND A README FOR THE ADMIN
+#=================================================
+ynh_script_progression --message="Sending a readme for the admin..." --weight=1
+
+message="CryptPad was successfully upgraded :)
+We have added a sandbox domain for you but you still need to configure your DNS and generate Let's Encrypt Certificates for it !!
+If not already done, then you can please open your $app domain: https://$domain$path_url
+Create an account via the Register button on the home page. To make this account an instance administrator:
+1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
+2. Paste this key in /var/www/cryptpad/config/config.js in the following array (uncomment and replace the placeholder):
+adminKeys: [
+        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+],
+If you are facing an issue or want to improve this app, please open a new issue in this project: https://github.com/YunoHost-Apps/cryptpad_ynh"
+
+ynh_send_readme_to_admin "$message"
+
+
 #=================================================
 # END OF SCRIPT
 #=================================================