Merge pull request #107 from YunoHost-Apps/testing

Testing

.github/workflows/updater.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+
+#=================================================
+# PACKAGE UPDATING HELPER
+#=================================================
+
+# This script is meant to be run by GitHub Actions
+# The YunoHost-Apps organisation offers a template Action to run this script periodically
+# Since each app is different, maintainers can adapt its contents so as to perform
+# automatic actions when a new upstream release is detected.
+
+# Remove this exit command when you are ready to run this Action
+#exit 1
+
+#=================================================
+# FETCHING LATEST RELEASE AND ITS ASSETS
+#=================================================
+
+# Fetching information
+current_version=$(cat manifest.json | jq -j '.version|split("~")[0]')
+repo=$(cat manifest.json | jq -j '.upstream.code|split("https://github.com/")[1]')
+# Some jq magic is needed, because the latest upstream release is not always the latest version (e.g. security patches for older versions)
+version=$(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '.[] | select( .prerelease != true ) | .tag_name' | sort -V | tail -1)
+assets=($(curl --silent "https://api.github.com/repos/$repo/releases" | jq -r '[ .[] | select(.tag_name=="'$version'").assets[].browser_download_url ] | join(" ") | @sh' | tr -d "'"))
+
+if [[ ${version:0:1} == "v" || ${version:0:1} == "V" ]]; then
+    version=${version:1}
+fi
+
+# Setting up the environment variables
+echo "Current version: $current_version"
+echo "Latest release from upstream: $version"
+echo "VERSION=$version" >> $GITHUB_ENV
+# For the time being, let's assume the script will fail
+echo "PROCEED=false" >> $GITHUB_ENV
+
+# Proceed only if the retrieved version is greater than the current one
+if ! dpkg --compare-versions "$current_version" "lt" "$version" ; then
+    echo "::warning ::No new version available"
+    exit 0
+# Proceed only if a PR for this new version does not already exist
+elif git ls-remote -q --exit-code --heads https://github.com/$GITHUB_REPOSITORY.git ci-auto-update-v$version ; then
+    echo "::warning ::A branch already exists for this update"
+    exit 0
+fi
+
+# Each release can hold multiple assets (e.g. binaries for different architectures, source code, etc.)
+echo "${#assets[@]} available asset(s)"
+
+#=================================================
+# UPDATE SOURCE FILES
+#=================================================
+
+# Here we use the $assets variable to get the resources published in the upstream release.
+# Here is an example for Grav, it has to be adapted in accordance with how the upstream releases look like.
+
+# Let's loop over the array of assets URLs
+for asset_url in ${assets[@]}; do
+
+echo "Handling asset at $asset_url"
+
+# Assign the asset to a source file in conf/ directory
+# Here we base the source file name upon a unique keyword in the assets url (admin vs. update)
+# Leave $src empty to ignore the asset
+case $asset_url in
+  *".tar.gz"*)
+    src="app"
+    ;;
+esac
+
+# If $src is not empty, let's process the asset
+if [ ! -z "$src" ]; then
+
+# Create the temporary directory
+tempdir="$(mktemp -d)"
+
+# Download sources and calculate checksum
+filename=${asset_url##*/}
+curl --silent -4 -L $asset_url -o "$tempdir/$filename"
+checksum=$(sha256sum "$tempdir/$filename" | head -c 64)
+
+# Delete temporary directory
+rm -rf $tempdir
+
+# Get extension
+if [[ $filename == *.tar.gz ]]; then
+  extension=tar.gz
+else
+  extension=${filename##*.}
+fi
+
+# Rewrite source file
+cat <<EOT > conf/$src.src
+SOURCE_URL=$asset_url
+SOURCE_SUM=$checksum
+SOURCE_SUM_PRG=sha256sum
+SOURCE_FORMAT=$extension
+SOURCE_IN_SUBDIR=true
+SOURCE_FILENAME=cryptpad.tar.gz
+EOT
+echo "... conf/$src.src updated"
+
+else
+echo "... asset ignored"
+fi
+
+done
+
+#=================================================
+# SPECIFIC UPDATE STEPS
+#=================================================
+
+# Any action on the app's source code can be done.
+# The GitHub Action workflow takes care of committing all changes after this script ends.
+
+#=================================================
+# GENERIC FINALIZATION
+#=================================================
+
+# Install moreutils, needed for sponge
+sudo apt-get install moreutils
+
+# Replace new version in manifest
+echo "$(jq -s --indent 4 ".[] | .version = \"$version~ynh1\"" manifest.json)" > manifest.json
+
+# No need to update the README, yunohost-bot takes care of it
+
+# The Action will proceed only if the PROCEED environment variable is set to true
+echo "PROCEED=true" >> $GITHUB_ENV
+exit 0

README.md

@@ -15,9 +15,9 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in
 
 ## Overview
 
-Zero Knowledge realtime collaborative editor
+CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. It is built to enable collaboration, synchronizing changes to documents in real time. Because all data is encrypted, the service and its administrators have no way of seeing the content being edited and stored.
 
-**Shipped version:** 4.10.0~ynh1
+**Shipped version:** 4.11.0~ynh1
 
 **Demo:** https://cryptpad.fr/
 
@@ -29,12 +29,19 @@ Zero Knowledge realtime collaborative editor
 
 ## Configuration
 
-* How to configure this app: From the admin panel and the plain file `/var/www/cryptpad/config/config.js.`
+Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
+
+1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
+2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder):
+``` 
+adminKeys: [
+        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+],
+```
 
 ## Documentation and resources
 
 * Official app website: https://cryptpad.fr/
-* Official user documentation: https://yunohost.org/apps
 * Official admin documentation: https://docs.cryptpad.fr/en/
 * Upstream app code repository: https://github.com/xwiki-labs/cryptpad
 * YunoHost documentation for this app: https://yunohost.org/app_cryptpad

README_fr.md

@@ -11,9 +11,9 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 
 ## Vue d'ensemble
 
-Éditeur chiffré collaboratif en temps réel.
+CryptPad est une suite de collaboration chiffrée de bout en bout et open source. Il est conçu pour permettre la collaboration, en synchronisant les modifications apportées aux documents en temps réel. Étant donné que toutes les données sont chiffrées, le service et ses administrateurs n'ont aucun moyen de voir le contenu modifié et stocké. 
 
-**Version incluse :** 4.10.0~ynh1
+**Version incluse :** 4.11.0~ynh1
 
 **Démo :** https://cryptpad.fr/
 
@@ -25,12 +25,19 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour
 
 ## Configuration
 
-Comment configurer cette application : via le panneau d'administration ainsi que le fichier de configuration `/var/www/cryptpad/config/config.js`.
+Une fois CryptPad installé, créez un compte via le bouton S'inscrire sur la page d'accueil. Pour faire de ce compte un administrateur d'instance :
+
+1. Copiez la clé publique trouvée dans le menu utilisateur (avatar en haut à droite) > Paramètres > Compte > Clé de signature publique
+2. Collez cette clé dans `/var/www/cryptpad/config/config.js` dans le tableau suivant (décommentez et remplacez l'espace réservé) :
+``` 
+adminKeys: [
+        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+],
+```
 
 ## Documentations et ressources
 
 * Site officiel de l'app : https://cryptpad.fr/
-* Documentation officielle utilisateur : https://yunohost.org/apps
 * Documentation officielle de l'admin : https://docs.cryptpad.fr/en/
 * Dépôt de code officiel de l'app : https://github.com/xwiki-labs/cryptpad
 * Documentation YunoHost pour cette app : https://yunohost.org/app_cryptpad

check_process

@@ -12,10 +12,8 @@
 		setup_private=1
 		setup_public=1
 		upgrade=1
-		#4.6.0
-		upgrade=1    from_commit=198d9d2bbdb131354f4d8ba3179021de9e58a75a
-		#4.9.0
-		upgrade=1    from_commit=c61a2ee40b5ef747219793a6cc5a409f366c8a94
+		#4.10.0
+		upgrade=1    from_commit=2a54cd03f90c93b07150a64644ffc7f208110a18
 		backup_restore=1
 		multi_instance=0
 		change_url=1
@@ -23,9 +21,5 @@
 Email=
 Notification=none
 ;;; Upgrade options
-	; commit=198d9d2bbdb131354f4d8ba3179021de9e58a75a
-		name=update to 4.6.0
-	; commit=c61a2ee40b5ef747219793a6cc5a409f366c8a94
-		name=update to 4.9.0
-
-		
+	; commit=2a54cd03f90c93b07150a64644ffc7f208110a18
+		name=update to 4.10.0

conf/app.src

@@ -1,6 +1,6 @@
-SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/4.10.0.tar.gz
-SOURCE_SUM=0e55e5c2deff97e002bc570023e59e530df0fa5249836e75a8a3120e924c873e
+SOURCE_URL=https://github.com/xwiki-labs/cryptpad/archive/4.11.0.tar.gz
+SOURCE_SUM=e529b484c297f73227f991971189c51f64da1ab53fc78334d1fb08e320d4385e
 SOURCE_SUM_PRG=sha256sum
 SOURCE_FORMAT=tar.gz
 SOURCE_IN_SUBDIR=true
-SOURCE_FILENAME=cryptpad-4.10.0.tar.gz
+SOURCE_FILENAME=cryptpad.tar.gz

conf/systemd.service

@@ -12,11 +12,36 @@ Environment=NODE_ENV=production
 ExecStart=__YNH_NPM__ start
 Restart=always
 
-PrivateDevices=true
-ProtectControlGroups=true
-ProtectHome=true
-ProtectKernelTunables=true
+# Sandboxing options to harden security
+# Depending on specificities of your service/app, you may need to tweak these 
+# .. but this should be a good baseline
+# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+NoNewPrivileges=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+DevicePolicy=closed
 ProtectSystem=full
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+LockPersonality=yes
+SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
+
+# Denying access to capabilities that should not be relevant for webapps
+# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html
+CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD
+CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
+CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT
+CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM
+CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG
+CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE
+CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG 
+
 
 [Install]
 WantedBy=multi-user.target

doc/DESCRIPTION.md

@@ -0,0 +1 @@
+CryptPad is a collaboration suite that is end-to-end-encrypted and open-source. It is built to enable collaboration, synchronizing changes to documents in real time. Because all data is encrypted, the service and its administrators have no way of seeing the content being edited and stored.

doc/DESCRIPTION_fr.md

@@ -0,0 +1 @@
+CryptPad est une suite de collaboration chiffrée de bout en bout et open source. Il est conçu pour permettre la collaboration, en synchronisant les modifications apportées aux documents en temps réel. Étant donné que toutes les données sont chiffrées, le service et ses administrateurs n'ont aucun moyen de voir le contenu modifié et stocké. 

doc/DISCLAIMER.md

@@ -1,3 +1,11 @@
 ## Configuration
 
-* How to configure this app: From the admin panel and the plain file `/var/www/cryptpad/config/config.js.`
+Once CryptPad is installed, create an account via the Register button on the home page. To make this account an instance administrator:
+
+1. Copy the public key found in User Menu (avatar at the top right) > Settings > Account > Public Signing Key
+2. Paste this key in `/var/www/cryptpad/config/config.js` in the following array (uncomment and replace the placeholder):
+``` 
+adminKeys: [
+        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+],
+```

doc/DISCLAIMER_fr.md

@@ -1,3 +1,11 @@
 ## Configuration
 
-Comment configurer cette application : via le panneau d'administration ainsi que le fichier de configuration `/var/www/cryptpad/config/config.js`.
+Une fois CryptPad installé, créez un compte via le bouton S'inscrire sur la page d'accueil. Pour faire de ce compte un administrateur d'instance :
+
+1. Copiez la clé publique trouvée dans le menu utilisateur (avatar en haut à droite) > Paramètres > Compte > Clé de signature publique
+2. Collez cette clé dans `/var/www/cryptpad/config/config.js` dans le tableau suivant (décommentez et remplacez l'espace réservé) :
+``` 
+adminKeys: [
+        "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]",
+],
+```

manifest.json

@@ -4,16 +4,15 @@
     "packaging_format": 1,
     "description": {
         "en": "Zero Knowledge realtime collaborative editor",
-        "fr": "Éditeur chiffré collaboratif en temps réel."
+        "fr": "Éditeur chiffré collaboratif en temps réel"
     },
-    "version": "4.10.0~ynh1",
+    "version": "4.11.0~ynh1",
     "url": "https://cryptpad.fr/",
     "upstream": {
         "license": "AGPL-3.0-only",
         "website": "https://cryptpad.fr/",
         "demo": "https://cryptpad.fr/",
         "admindoc": "https://docs.cryptpad.fr/en/",
-        "userdoc": "https://yunohost.org/apps",
         "code": "https://github.com/xwiki-labs/cryptpad"
     },
     "license": "AGPL-3.0-only",
@@ -37,13 +36,11 @@
                 "help": {
                     "en": "CryptPad needs to be installed in a dedicated domain or sub-domain.",
                     "fr": "CryptPad doit être installé dans un domaine ou sous-domaine dédié."
-                },
-                "example": "cryptpad.example.com"
+                }
             },
             {
                 "name": "admin",
-                "type": "user",
-                "example": "johndoe"
+                "type": "user"
             },
             {
                 "name": "is_public",

scripts/backup

@@ -57,4 +57,4 @@ ynh_backup --src_path="/etc/systemd/system/$app.service"
 # END OF SCRIPT
 #=================================================
 
-ynh_print_info --message="Backup script completed for CryptPad. (YunoHost will then actually copy those files to the archive)."
+ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)."

scripts/change_url

@@ -32,7 +32,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
-ynh_script_progression --message="Backing up CryptPad before changing its URL (may take a while)..." --weight=2
+ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --weight=2
 
 # Backup the current version of the app
 ynh_backup_before_upgrade
@@ -120,4 +120,4 @@ ynh_systemd_action --service_name=nginx --action=reload
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Change of URL completed for CryptPad" --last
+ynh_script_progression --message="Change of URL completed for $app" --last

scripts/install

@@ -122,14 +122,14 @@ chown $app "$final_path/config/config.js"
 #=================================================
 # INSTALL CRYPTPAD
 #=================================================
-ynh_script_progression --message="Building CryptPad... (this will take some time and resources!)" --weight=60
+ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=60
 
-pushd "$final_path" || ynh_die
+pushd "$final_path"
 	ynh_use_nodejs
 	ynh_exec_warn_less npm install --allow-root
 	ynh_exec_warn_less npm install -g bower
 	ynh_exec_warn_less bower install --allow-root
-popd || ynh_die
+popd
 
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
@@ -191,4 +191,4 @@ ynh_send_readme_to_admin "$message"
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Installation of CryptPad completed" --last
+ynh_script_progression --message="Installation of $app completed" --last

scripts/remove

@@ -29,7 +29,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 # Remove the service from the list of services known by YunoHost (added from `yunohost service add`)
 if ynh_exec_warn_less yunohost service status $app >/dev/null
 then
-	ynh_script_progression --message="Removing CryptPad service..." --weight=3
+	ynh_script_progression --message="Removing $app service..." --weight=3
 	yunohost service remove $app
 fi
 
@@ -51,7 +51,7 @@ ynh_remove_nodejs
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
-ynh_script_progression --message="Removing CryptPad main directory..." --weight=3
+ynh_script_progression --message="Removing $app main directory..." --weight=3
 
 # Remove the app directory securely
 ynh_secure_remove --file="$final_path"
@@ -78,4 +78,4 @@ ynh_system_user_delete --username=$app
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Removal of CryptPad completed" --last
+ynh_script_progression --message="Removal of $app completed" --last

scripts/restore

@@ -111,4 +111,4 @@ ynh_systemd_action --service_name=nginx --action=reload
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Restoration completed for CryptPad" --last
+ynh_script_progression --message="Restoration completed for $app" --last

scripts/upgrade

@@ -51,7 +51,7 @@ fi
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
-ynh_script_progression --message="Backing up CryptPad before upgrading (may take a while)..." --weight=1
+ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=1
 
 # Backup the current version of the app
 ynh_backup_before_upgrade
@@ -93,7 +93,6 @@ then
 	chmod 750 "$final_path"
 	chmod -R o-rwx "$final_path"
 	chown -R $app:$app "$final_path"
-	chmod 600 "$final_path/config/config.js"
 fi
 
 #=================================================
@@ -121,7 +120,7 @@ ynh_exec_warn_less ynh_install_nodejs --nodejs_version=$nodejs_version
 #=================================================
 # INSTALL CRYPTPAD
 #=================================================
-ynh_script_progression --message="Building CryptPad... (this will take some time and resources!)" --weight=60
+ynh_script_progression --message="Building $app... (this will take some time and resources!)" --weight=60
 
 pushd "$final_path" 
 	ynh_exec_warn_less npm install --allow-root
@@ -136,7 +135,6 @@ popd
 ynh_script_progression --message="Upgrading systemd configuration..." --weight=1
 
 ynh_replace_string --match_string="__ENV_PATH__" --replace_string="$PATH" --target_file="../conf/systemd.service"
-ynh_replace_string --match_string="__YNH_NPM__" --replace_string="$ynh_npm" --target_file="../conf/systemd.service"
 
 # Create a dedicated systemd config
 ynh_add_systemd_config
@@ -166,4 +164,4 @@ ynh_systemd_action --service_name=nginx --action=reload
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Upgrade of CryptPad completed" --last
+ynh_script_progression --message="Upgrade of $app completed" --last