From dfce441b1c08bad7777951ff6a2da4f03ec4cdb9 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sun, 29 Nov 2020 12:00:20 +0100 Subject: [PATCH 1/9] New Permission system - Domoticz API --- conf/nginx.conf | 18 +++++++++--------- hooks/post_app_addaccess | 30 ++++++++++++++++++++++++++++++ hooks/post_app_removeaccess | 23 +++++++++++++++++++++++ manifest.json | 2 +- scripts/change_url | 33 ++++++++++++++++++++++++++------- scripts/install | 32 +++++++++++++++++++++++++++----- scripts/upgrade | 35 ++++++++++++++++++++++++++++++++--- 7 files changed, 148 insertions(+), 25 deletions(-) create mode 100644 hooks/post_app_addaccess create mode 100644 hooks/post_app_removeaccess diff --git a/conf/nginx.conf b/conf/nginx.conf index 7414aa6..35e457e 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -3,15 +3,15 @@ location __PATH__/ { # Path to source #alias __FINALPATH__/ ; - proxy_http_version 1.1; - proxy_read_timeout 90; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded_Proto $scheme; - proxy_set_header X-Scheme $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - more_set_headers "X-Frame-Options: SAMEORIGIN"; + proxy_http_version 1.1; + proxy_read_timeout 90; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded_Proto $scheme; + proxy_set_header X-Scheme $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + more_set_headers "X-Frame-Options: SAMEORIGIN"; proxy_pass http://localhost:__PORT__/; proxy_set_header Host $host; #proxy_buffering off; diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess new file mode 100644 index 0000000..90e83ed --- /dev/null +++ b/hooks/post_app_addaccess @@ -0,0 +1,30 @@ +#!/bin/bash + +# Source app helpers +source /usr/share/yunohost/helpers + +app=$1 +added_users=$2 +permission=$3 +added_groups=$4 + +if [ "$app" == __APP__ ]; then + if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. + if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. + domain=$(ynh_app_setting_get --app=$app --key=domain) + path_url=$(ynh_app_setting_get --app=$app --key=path) + + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi + # Modify the domain to be used in a regex + domain_regex=$(echo "$domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" + + yunohost app ssowatconf + else + ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." + fi + fi +fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess new file mode 100644 index 0000000..127472c --- /dev/null +++ b/hooks/post_app_removeaccess @@ -0,0 +1,23 @@ +#!/bin/bash + +# Source app helpers +source /usr/share/yunohost/helpers + +app=$1 +removed_users=$2 +permission=$3 +removed_groups=$4 + +if [ "$app" == __APP__ ]; then + if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. + if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. + + # We remove the regex, no more protection is needed. + ynh_app_setting_delete --app=$app --key=unprotected_regex + + yunohost app ssowatconf + else + ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." + fi + fi +fi \ No newline at end of file diff --git a/manifest.json b/manifest.json index 71d10f2..f461f3b 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Very light weight open sources home automation system that lets you monitor and configure miscellaneous devices", "fr": "Logiciel open sources et gratuit de domotique qui vous permet de configurer un grand nombre d'appareils" }, - "version": "2020.2~ynh1", + "version": "2020.2~ynh2", "url": "https://www.domoticz.com", "license": "GPL-3.0-or-later", "maintainer": { diff --git a/scripts/change_url b/scripts/change_url index 117a84a..45dd39f 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -25,7 +25,7 @@ app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." --time --weight=1 +ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) @@ -35,7 +35,7 @@ port=$(ynh_app_setting_get --app=$app --key=port) #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --time --weight=1 +ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --weight=5 # Backup the current version of the app ynh_backup_before_upgrade @@ -70,14 +70,14 @@ fi #================================================= # STOP SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Stopping a systemd service..." --time --weight=1 +ynh_script_progression --message="Stopping a systemd service..." --weight=2 ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating nginx web server configuration..." --time --weight=1 +ynh_script_progression --message="Updating nginx web server configuration..." --weight=1 nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf @@ -111,17 +111,36 @@ fi #================================================= # GENERIC FINALISATION +#================================================= +# SETUP SSOWAT +#================================================= +ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1 + +# If the app is private, API should stays publicly accessible. +if [ $is_public -eq 0 ] +then + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi + # Modify the domain to be used in a regex + domain_regex=$(echo "$new_domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" +fi + + #================================================= # START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --time --weight=1 + +ynh_script_progression --message="Starting a systemd service..." --weight=2 ynh_systemd_action --service_name=$app --action="start" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." --time --weight=1 +ynh_script_progression --message="Reloading nginx web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload @@ -129,4 +148,4 @@ ynh_systemd_action --service_name=nginx --action=reload # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --time --last +ynh_script_progression --message="Change of URL completed for $app"--last diff --git a/scripts/install b/scripts/install index 8598b32..056451c 100755 --- a/scripts/install +++ b/scripts/install @@ -64,7 +64,7 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH port=$(ynh_find_port --port=8080) ynh_app_setting_set --app=$app --key=port --value=$port #Standard yunohost does not change __PORT__ in systemd.service -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" +#ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" #================================================= # INSTALL DEPENDENCIES @@ -128,16 +128,26 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app +#================================================= +# SETUP HOOKS FILE +#================================================= + +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess" +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess" + + #================================================= # SETUP SYSTEMD #================================================= ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config -ynh_add_systemd_config +ynh_add_systemd_config --others_var="port" #ynh_store_file_checksum --file="$final_path/CONFIG_FILE" + + #================================================= # GENERIC FINALIZATION #================================================= @@ -183,12 +193,24 @@ ynh_systemd_action --service_name=$app --action="start" ynh_script_progression --message="Configuring SSOwat..." --weight=1 # Make app public if necessary -if [ $is_public -eq 1 ] -then - # unprotected_uris allows SSO credentials to be passed anyway. +if [ $is_public -eq 1 ]; then ynh_permission_update --permission "main" --add visitors +else + # If the app is private, API should stays publicly accessible. + # This is a fake permission without any URL. + # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. + # We can't use a real permission for now because the actual permision system doesn't support regex. + ynh_permission_create --permission="domoticz_API" --allowed="visitors" + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi +# # Modify the domain to be used in a regex + domain_regex=$(echo "$domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" fi + #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 17858a2..580d6e2 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -75,6 +75,28 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi +# Create the permission "domoticz_API" only if it doesn't exist. +if ! ynh_permission_exists --permission="domoticz_API" +then + # This is a fake permission without any URL. + # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. + # We can't use a real permission for now because the actual permision system doesn't support regex. + ynh_permission_create --permission="domoticz_API" --allowed="visitors" + + # Make API public if necessary + if [ $is_public -eq 0 ] + then + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi + # Modify the domain to be used in a regex + domain_regex=$(echo "$domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" + fi +fi + + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -183,14 +205,21 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app +#================================================= +# SETUP HOOKS FILE +#================================================= + +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess" +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess" + + #================================================= # SETUP SYSTEMD #================================================= ynh_script_progression --message="Upgrading systemd configuration..." --weight=1 -#Standard yunohost does not change __PORT__ in systemd.service -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" + # Create a dedicated systemd config -ynh_add_systemd_config +ynh_add_systemd_config --others_var="port" #================================================= # MODIFY A CONFIG FILE From 6aa7b1d28bcc83b7148db3564a4149af07fe1a2c Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Dec 2020 23:08:32 +0100 Subject: [PATCH 2/9] API madness --- .gitignore | 1 + README.md | 37 +++++++++++++++++++++++++++- README_fr.md | 38 ++++++++++++++++++++++++++++- conf/nginx.conf | 48 +++++++++++++++++++++++++++++++++---- hooks/post_app_addaccess | 30 ----------------------- hooks/post_app_removeaccess | 23 ------------------ scripts/change_url | 16 +++++-------- scripts/install | 33 +++++++++---------------- scripts/restore | 3 +++ scripts/upgrade | 31 ++++++++++-------------- 10 files changed, 151 insertions(+), 109 deletions(-) delete mode 100644 hooks/post_app_addaccess delete mode 100644 hooks/post_app_removeaccess diff --git a/.gitignore b/.gitignore index 783a4ae..abf52e7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *~ *.sw[op] +/hooks/ diff --git a/README.md b/README.md index eacabe2..fc83019 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,42 @@ Once installed, **updates from the uptream app are managed from within the app.* ## Configuration -All the configuration of the app take place inside the app itself. +### Sensors, language and this kind of stuff +Main configuration of the app take place inside the app itself. + +### Access and API +By default, access for the [JSON API](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) is allowed on following path `/yourdomain.tld/api_/domoticzpath`. +So if you access domoticz via https://mydomainname.tld/domoticz, use the following webpath for the api : `https://mydomainname.tld/api_/domoticz/json.htm?yourapicommand` + +By default, only sensor updates and switch toogle are authorized. To authorized a new command, you have (for now) to manually update the nginx config file : +```` +sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf +``` +Then edit the following block by adding the regex of the command you want to allow: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } +```` +For example, to add the json command to retrieve the status of a device (/json.htm?type=devices&rid=IDX),modify the line as this: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) { + set $api "1"; + } +```` + +All IPv6 and IPv4 address within the local network (192.168.0.0/24) are authorized as API. +As far as I know, there is no way to use such filter for IPv6 address : You may remove the authorization by removing or commenting this line in `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`: +```` +allow ::/1; +```` +This will authorized only IPv4 within local network to access your domoticz API. ## Documentation diff --git a/README_fr.md b/README_fr.md index ab352bb..ed33a83 100644 --- a/README_fr.md +++ b/README_fr.md @@ -35,7 +35,43 @@ Une fois installée, **les mises à jour de l'application sont gérées depuis l ## Configuration -Toute la configuration a lieu à l'intérieur de l'application elle-même. +### Senseurs, langue et ce genre de choses +Toute la configuration de l'application a lieu dans l'application elle même +Main configuration of the app take place inside the app itself. + +### Accès et API +Par défaut, l'accès aux [API JSON](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) est autorisé sur cette URL `/votredomaine.tld/api_/chemindedomoticz`. +Donc, si vous accédez à domoticz par https://votredomaine.tld/domoticz, utilisez le chemin suivant pour l'api:`https://votredomaine.tld/api_/domoticz/json.htm?votrecommandeapi` + +Par défaut, seuls la mise à jour de senseur et les interrupteurs sont autorisés. Pour autoriser une nouvelle commande, vous devez (pour l'instant) manuellement éditer le fichier de configuration nginx : +```` +sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf +``` +Puis éditer le bloc suivant en y ajoutant le regex de la commmande à autoriser : +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } +```` +Par exemple, pour ajouter la commmande json pour retrouver le statut d'un équipement (/json.htm?type=devices&rid=IDX),il faut modifier la ligne comme ceci: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) { + set $api "1"; + } +```` + +Toutes les adresses IPv6 et les adresses IPv4 du réseau local (192.168.0.0/24) sont autorisées pour l'API. +A ma connaissance, il n'y a pas moyen d'effectuer un tel filtre pour les adresses IPv6, vous pouvez donc retirer leur autorisation en enlevant ou en commentant la ligne suivante dans `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`: +```` +allow ::/1; +```` +Ceci autorisera seulement les adresses IPv4 local a accéder aux API de domoticz. ## Documentation diff --git a/conf/nginx.conf b/conf/nginx.conf index 35e457e..f61437a 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,8 +1,7 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - # Path to source - #alias __FINALPATH__/ ; + #Settings for main domoticz interface via web browser proxy_http_version 1.1; proxy_read_timeout 90; proxy_set_header X-Real-IP $remote_addr; @@ -14,7 +13,6 @@ location __PATH__/ { more_set_headers "X-Frame-Options: SAMEORIGIN"; proxy_pass http://localhost:__PORT__/; proxy_set_header Host $host; - #proxy_buffering off; # Force usage of https @@ -22,7 +20,49 @@ location __PATH__/ { rewrite ^ https://$server_name$request_uri? permanent; } - # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; +} + + +#sub_path_only rewrite ^api___PATH__$ api___PATH__/ permanent; +location api___PATH__/ { + #Alternative path for api, only authorized json command will be accepted + + #allow only local network on IPv4 + allow 192.168.0.0/16; + #allow all address in IPv6 => how to filter? + allow ::/1; + deny all; + + proxy_http_version 1.1; + proxy_read_timeout 90; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded_Proto $scheme; + proxy_set_header X-Scheme $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + more_set_headers "X-Frame-Options: SAMEORIGIN"; + proxy_pass http://localhost:__PORT__/; + proxy_set_header Host $host; + + set $api "0"; + + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } + + if ($api = 0) { + return 403; + } + + # Force usage of https + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } + } \ No newline at end of file diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess deleted file mode 100644 index 90e83ed..0000000 --- a/hooks/post_app_addaccess +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -# Source app helpers -source /usr/share/yunohost/helpers - -app=$1 -added_users=$2 -permission=$3 -added_groups=$4 - -if [ "$app" == __APP__ ]; then - if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. - if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. - domain=$(ynh_app_setting_get --app=$app --key=domain) - path_url=$(ynh_app_setting_get --app=$app --key=path) - - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" - - yunohost app ssowatconf - else - ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." - fi - fi -fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess deleted file mode 100644 index 127472c..0000000 --- a/hooks/post_app_removeaccess +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -# Source app helpers -source /usr/share/yunohost/helpers - -app=$1 -removed_users=$2 -permission=$3 -removed_groups=$4 - -if [ "$app" == __APP__ ]; then - if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. - if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. - - # We remove the regex, no more protection is needed. - ynh_app_setting_delete --app=$app --key=unprotected_regex - - yunohost app ssowatconf - else - ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." - fi - fi -fi \ No newline at end of file diff --git a/scripts/change_url b/scripts/change_url index 45dd39f..dc94edb 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -19,6 +19,8 @@ old_path=$YNH_APP_OLD_PATH new_domain=$YNH_APP_NEW_DOMAIN new_path=$YNH_APP_NEW_PATH +old_api=/api_$old_path +new_api=/api_$new_path app=$YNH_APP_INSTANCE_NAME @@ -117,16 +119,10 @@ fi ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1 # If the app is private, API should stays publicly accessible. -if [ $is_public -eq 0 ] -then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$new_domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" -fi +ynh_app_setting_delete --app=$app --key="api_path" +ynh_app_setting_set --app=$app --key="api_path" --value=$new_api + +ynh_permission_url --permission="domoticz_API" --url="$new_domain$new_api" --allowed="visitors" #================================================= diff --git a/scripts/install b/scripts/install index 056451c..f5dde79 100755 --- a/scripts/install +++ b/scripts/install @@ -29,6 +29,9 @@ path_url=$YNH_APP_ARG_PATH is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME +#Set dedicated variables +api_path=/api_$path_url + #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= @@ -39,6 +42,8 @@ test ! -e "$final_path" || ynh_die --message="This path already contains a folde # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url +#ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path + #================================================= # STORE SETTINGS FROM MANIFEST @@ -53,6 +58,9 @@ ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=OS --value=$OS ynh_app_setting_set --app=$app --key=mach --value=$MACH +#path used by api to read/update domoticz +ynh_app_setting_set --app=$app --key=api_path --value=$api_path + #================================================= # STANDARD MODIFICATIONS @@ -63,8 +71,6 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH # Find an available port port=$(ynh_find_port --port=8080) ynh_app_setting_set --app=$app --key=port --value=$port -#Standard yunohost does not change __PORT__ in systemd.service -#ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" #================================================= # INSTALL DEPENDENCIES @@ -128,13 +134,6 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app -#================================================= -# SETUP HOOKS FILE -#================================================= - -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess" -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess" - #================================================= # SETUP SYSTEMD @@ -195,20 +194,10 @@ ynh_script_progression --message="Configuring SSOwat..." --weight=1 # Make app public if necessary if [ $is_public -eq 1 ]; then ynh_permission_update --permission "main" --add visitors -else - # If the app is private, API should stays publicly accessible. - # This is a fake permission without any URL. - # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. - # We can't use a real permission for now because the actual permision system doesn't support regex. - ynh_permission_create --permission="domoticz_API" --allowed="visitors" - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi -# # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" fi +#API should stay publicly accessible. +ynh_permission_create --permission="domoticz_API" --url="$domain$api_path" --allowed="visitors" + #================================================= diff --git a/scripts/restore b/scripts/restore index ad9f96a..4305630 100755 --- a/scripts/restore +++ b/scripts/restore @@ -33,6 +33,7 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) backup_OS=$(ynh_app_setting_get --app=$app --key=OS) backup_mach=$(ynh_app_setting_get --app=$app --key=mach) +api_path=$(ynh_app_setting_get --app=$app --key=api_path) #================================================= # CHECK IF THE APP CAN BE RESTORED @@ -41,6 +42,8 @@ ynh_script_progression --message="Validating restoration parameters..." --weight ynh_webpath_available --domain=$domain --path_url=$path_url \ || ynh_die --message="Path not available: ${domain}${path_url}" +#ynh_webpath_available --domain=$domain --path_url=$api_path \ +# || ynh_die --message="Path not available: ${domain}${api_path}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " #As we are downloading compiled binaries for each system, we have to check if the restore occurs diff --git a/scripts/upgrade b/scripts/upgrade index 580d6e2..39b4427 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -27,6 +27,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) current_OS=$(ynh_app_setting_get --app=$app --key=OS) current_mach=$(ynh_app_setting_get --app=$app --key=mach) +api_path=$(ynh_app_setting_get --app=$app --key=api_path) #================================================= # CHECK VERSION @@ -57,7 +58,7 @@ elif [ "$is_public" = "No" ]; then elif [ -z "$is_public" ]; then ynh_app_setting_set --app=$app --key=is_public --value=1 is_public=1 - ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentifaction." +ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentication." ynh_print_warn --message="if you require to set it as private, please use the authorization config panel in Users/Manage Groups and permissions" fi @@ -75,25 +76,19 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi +#Create a dedicated path for the api access +if [ -z "$api_path" ]; then + api_path=/api_$path_url + ynh_app_setting_set --app=$app --key=final_path --value=$final_path +# ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path +fi + + # Create the permission "domoticz_API" only if it doesn't exist. if ! ynh_permission_exists --permission="domoticz_API" then - # This is a fake permission without any URL. - # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. - # We can't use a real permission for now because the actual permision system doesn't support regex. - ynh_permission_create --permission="domoticz_API" --allowed="visitors" - - # Make API public if necessary - if [ $is_public -eq 0 ] - then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" - fi + # API Authorization wit dedicated URL + ynh_permission_create --permission="domoticz_API" ---url="$domain$api_path" --allowed="visitors" fi @@ -173,7 +168,7 @@ fi ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=1 # Create a dedicated nginx config -#ynh_add_nginx_config +ynh_add_nginx_config #================================================= # UPGRADE DEPENDENCIES From d6dbb1759d829fcc5ac08adf738bec299a400f12 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sun, 6 Dec 2020 10:17:49 +0100 Subject: [PATCH 3/9] Typo in README --- README.md | 4 ++-- README_fr.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index fc83019..f2f849d 100644 --- a/README.md +++ b/README.md @@ -42,12 +42,12 @@ Main configuration of the app take place inside the app itself. ### Access and API By default, access for the [JSON API](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) is allowed on following path `/yourdomain.tld/api_/domoticzpath`. -So if you access domoticz via https://mydomainname.tld/domoticz, use the following webpath for the api : `https://mydomainname.tld/api_/domoticz/json.htm?yourapicommand` +So if you access domoticz via https://mydomainname.tld/domoticz, use the following webpath for the api : `/mydomainname.tld/api_/domoticz/json.htm?yourapicommand` By default, only sensor updates and switch toogle are authorized. To authorized a new command, you have (for now) to manually update the nginx config file : ```` sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf -``` +```` Then edit the following block by adding the regex of the command you want to allow: ```` #set the list of authorized json command here in regex format diff --git a/README_fr.md b/README_fr.md index ed33a83..31ebb39 100644 --- a/README_fr.md +++ b/README_fr.md @@ -41,12 +41,12 @@ Main configuration of the app take place inside the app itself. ### Accès et API Par défaut, l'accès aux [API JSON](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) est autorisé sur cette URL `/votredomaine.tld/api_/chemindedomoticz`. -Donc, si vous accédez à domoticz par https://votredomaine.tld/domoticz, utilisez le chemin suivant pour l'api:`https://votredomaine.tld/api_/domoticz/json.htm?votrecommandeapi` +Donc, si vous accédez à domoticz par https://votredomaine.tld/domoticz, utilisez le chemin suivant pour l'api: `/votredomaine.tld/api_/domoticz/json.htm?votrecommandeapi` Par défaut, seuls la mise à jour de senseur et les interrupteurs sont autorisés. Pour autoriser une nouvelle commande, vous devez (pour l'instant) manuellement éditer le fichier de configuration nginx : ```` sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf -``` +```` Puis éditer le bloc suivant en y ajoutant le regex de la commmande à autoriser : ```` #set the list of authorized json command here in regex format From 573b3ed34a7647ea8b2f31bae440d666b81bf65f Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sun, 6 Dec 2020 11:37:24 +0100 Subject: [PATCH 4/9] More typo + additionnal comment --- README.md | 2 +- README_fr.md | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index f2f849d..98cb053 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ As far as I know, there is no way to use such filter for IPv6 address : You may allow ::/1; ```` This will authorized only IPv4 within local network to access your domoticz API. - +You may add individual IPv6 address in the same way. ## Documentation diff --git a/README_fr.md b/README_fr.md index 31ebb39..2f8bd05 100644 --- a/README_fr.md +++ b/README_fr.md @@ -72,6 +72,7 @@ A ma connaissance, il n'y a pas moyen d'effectuer un tel filtre pour les adresse allow ::/1; ```` Ceci autorisera seulement les adresses IPv4 local a accéder aux API de domoticz. +Vous pouvez ajouter des adresses IPv6 de la même façon. ## Documentation From 3ac63b4c611671afc8ca411b6567d08cbddce290 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sun, 6 Dec 2020 15:46:57 +0100 Subject: [PATCH 5/9] API_PATH management --- conf/nginx.conf | 2 +- scripts/change_url | 14 ++++++++++---- scripts/install | 9 ++++++--- scripts/restore | 2 +- scripts/upgrade | 33 ++++++++------------------------- 5 files changed, 26 insertions(+), 34 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index f61437a..67ff968 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -26,7 +26,7 @@ location __PATH__/ { #sub_path_only rewrite ^api___PATH__$ api___PATH__/ permanent; -location api___PATH__/ { +location __API_PATH__/ { #Alternative path for api, only authorized json command will be accepted #allow only local network on IPv4 diff --git a/scripts/change_url b/scripts/change_url index dc94edb..2da543e 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -19,8 +19,6 @@ old_path=$YNH_APP_OLD_PATH new_domain=$YNH_APP_NEW_DOMAIN new_path=$YNH_APP_NEW_PATH -old_api=/api_$old_path -new_api=/api_$new_path app=$YNH_APP_INSTANCE_NAME @@ -32,6 +30,14 @@ ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) +old_api=$(ynh_app_setting_get --app=$app --key=api_path) + +if [ "$new_path" == "/" ]; then + new_api=/api_/$app +else + new_api=/api_$new_path +fi + #================================================= @@ -92,7 +98,8 @@ then domain="$old_domain" path_url="$new_path" # Create a dedicated nginx config - ynh_add_nginx_config + # Create a dedicated nginx config + ynh_add_nginx_config "api_path" fi # Change the domain for nginx @@ -121,7 +128,6 @@ ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1 # If the app is private, API should stays publicly accessible. ynh_app_setting_delete --app=$app --key="api_path" ynh_app_setting_set --app=$app --key="api_path" --value=$new_api - ynh_permission_url --permission="domoticz_API" --url="$new_domain$new_api" --allowed="visitors" diff --git a/scripts/install b/scripts/install index f5dde79..2217b28 100755 --- a/scripts/install +++ b/scripts/install @@ -30,8 +30,11 @@ is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME #Set dedicated variables -api_path=/api_$path_url - +if [ "$path_url" == "/" ]; then + api_path=/api_/$app +else + api_path=/api_$path_url +fi #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= @@ -107,7 +110,7 @@ fi ynh_script_progression --message="Configuring nginx web server..." --weight=2 # Create a dedicated nginx config -ynh_add_nginx_config +ynh_add_nginx_config "api_path" #================================================= # CREATE DEDICATED USER diff --git a/scripts/restore b/scripts/restore index 4305630..165a767 100755 --- a/scripts/restore +++ b/scripts/restore @@ -116,7 +116,7 @@ systemctl enable $app.service --quiet #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add $app --description "A short description of the app" --log "/var/log/$app/$app.log" +yunohost service add $app --description "Domotique open sources" --log "/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index 39b4427..0281134 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -78,16 +78,19 @@ fi #Create a dedicated path for the api access if [ -z "$api_path" ]; then - api_path=/api_$path_url - ynh_app_setting_set --app=$app --key=final_path --value=$final_path -# ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path + if [ "$path_url" == "/" ]; then + api_path=/api_/$app + else + api_path=/api_$path_url + fi + ynh_app_setting_set --app=$app --key=api_path --value=$api_path fi # Create the permission "domoticz_API" only if it doesn't exist. if ! ynh_permission_exists --permission="domoticz_API" then - # API Authorization wit dedicated URL + # API Authorization with dedicated URL ynh_permission_create --permission="domoticz_API" ---url="$domain$api_path" --allowed="visitors" fi @@ -119,19 +122,6 @@ fi # Exit if an error occurs during the execution of the script ynh_abort_if_errors -#================================================= -# CHECK THE PATH -#================================================= - - -# Normalize the URL path syntax -# N.B. : this is for app installations before YunoHost 2.7 -# where this value might be something like /foo/ or foo/ -# instead of /foo .... -# If nobody installed your app before 2.7, then you may -# safely remove this line -path_url=$(ynh_normalize_url_path --path_url=$path_url) - #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -168,7 +158,7 @@ fi ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=1 # Create a dedicated nginx config -ynh_add_nginx_config +ynh_add_nginx_config "api_path" #================================================= # UPGRADE DEPENDENCIES @@ -200,13 +190,6 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app -#================================================= -# SETUP HOOKS FILE -#================================================= - -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess" -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess" - #================================================= # SETUP SYSTEMD From a4208525c899bb14a03592d1a5537a3368ac704d Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sun, 6 Dec 2020 22:10:18 +0100 Subject: [PATCH 6/9] add api_path --- scripts/change_url | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/change_url b/scripts/change_url index 2da543e..4656f85 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -97,6 +97,7 @@ then # Set global variables for nginx helper domain="$old_domain" path_url="$new_path" + api_path="$new_api" # Create a dedicated nginx config # Create a dedicated nginx config ynh_add_nginx_config "api_path" @@ -128,7 +129,7 @@ ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1 # If the app is private, API should stays publicly accessible. ynh_app_setting_delete --app=$app --key="api_path" ynh_app_setting_set --app=$app --key="api_path" --value=$new_api -ynh_permission_url --permission="domoticz_API" --url="$new_domain$new_api" --allowed="visitors" +ynh_permission_url --permission domoticz_API --url "$new_domain$new_api" #================================================= From ebcc1275bb965bbdef4dc318deec28600123724b Mon Sep 17 00:00:00 2001 From: Krakinou Date: Mon, 7 Dec 2020 23:04:12 +0100 Subject: [PATCH 7/9] typo --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 0281134..cc4a906 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -91,7 +91,7 @@ fi if ! ynh_permission_exists --permission="domoticz_API" then # API Authorization with dedicated URL - ynh_permission_create --permission="domoticz_API" ---url="$domain$api_path" --allowed="visitors" + ynh_permission_create --permission="domoticz_API" --url="$domain$api_path" --allowed="visitors" fi From 03589eca2bd20f99059f14af12cdf02fd69eca4d Mon Sep 17 00:00:00 2001 From: Krakinou Date: Fri, 11 Dec 2020 00:13:46 +0100 Subject: [PATCH 8/9] Add previous commit --- check_process | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/check_process b/check_process index 3ab463d..b9d9af3 100644 --- a/check_process +++ b/check_process @@ -13,11 +13,10 @@ pkg_linter=1 setup_sub_dir=1 setup_root=1 - setup_nourl=0 setup_private=1 setup_public=1 upgrade=1 -# upgrade=1 from_commit= + upgrade=1 from_commit=cf402923ff6feeead1c87555c6e9207b8c7f6595 backup_restore=1 multi_instance=0 port_already_use=1 From 94ee40c2d6a241fd8e1602f1f63618ddbdd808c1 Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sun, 17 Jan 2021 19:02:59 +0100 Subject: [PATCH 9/9] Allow upload of files up to 10M --- conf/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/nginx.conf b/conf/nginx.conf index 67ff968..e740b6b 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -13,6 +13,9 @@ location __PATH__/ { more_set_headers "X-Frame-Options: SAMEORIGIN"; proxy_pass http://localhost:__PORT__/; proxy_set_header Host $host; + #Allow upload until 10M to upload floorplan + client_max_body_size 10M; + # Force usage of https