diff --git a/.gitignore b/.gitignore index 783a4ae..abf52e7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *~ *.sw[op] +/hooks/ diff --git a/README.md b/README.md index eacabe2..98cb053 100644 --- a/README.md +++ b/README.md @@ -37,8 +37,43 @@ Once installed, **updates from the uptream app are managed from within the app.* ## Configuration -All the configuration of the app take place inside the app itself. +### Sensors, language and this kind of stuff +Main configuration of the app take place inside the app itself. +### Access and API +By default, access for the [JSON API](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) is allowed on following path `/yourdomain.tld/api_/domoticzpath`. +So if you access domoticz via https://mydomainname.tld/domoticz, use the following webpath for the api : `/mydomainname.tld/api_/domoticz/json.htm?yourapicommand` + +By default, only sensor updates and switch toogle are authorized. To authorized a new command, you have (for now) to manually update the nginx config file : +```` +sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf +```` +Then edit the following block by adding the regex of the command you want to allow: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } +```` +For example, to add the json command to retrieve the status of a device (/json.htm?type=devices&rid=IDX),modify the line as this: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) { + set $api "1"; + } +```` + +All IPv6 and IPv4 address within the local network (192.168.0.0/24) are authorized as API. +As far as I know, there is no way to use such filter for IPv6 address : You may remove the authorization by removing or commenting this line in `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`: +```` +allow ::/1; +```` +This will authorized only IPv4 within local network to access your domoticz API. +You may add individual IPv6 address in the same way. ## Documentation diff --git a/README_fr.md b/README_fr.md index ab352bb..2f8bd05 100644 --- a/README_fr.md +++ b/README_fr.md @@ -35,7 +35,44 @@ Une fois installée, **les mises à jour de l'application sont gérées depuis l ## Configuration -Toute la configuration a lieu à l'intérieur de l'application elle-même. +### Senseurs, langue et ce genre de choses +Toute la configuration de l'application a lieu dans l'application elle même +Main configuration of the app take place inside the app itself. + +### Accès et API +Par défaut, l'accès aux [API JSON](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) est autorisé sur cette URL `/votredomaine.tld/api_/chemindedomoticz`. +Donc, si vous accédez à domoticz par https://votredomaine.tld/domoticz, utilisez le chemin suivant pour l'api: `/votredomaine.tld/api_/domoticz/json.htm?votrecommandeapi` + +Par défaut, seuls la mise à jour de senseur et les interrupteurs sont autorisés. Pour autoriser une nouvelle commande, vous devez (pour l'instant) manuellement éditer le fichier de configuration nginx : +```` +sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf +```` +Puis éditer le bloc suivant en y ajoutant le regex de la commmande à autoriser : +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } +```` +Par exemple, pour ajouter la commmande json pour retrouver le statut d'un équipement (/json.htm?type=devices&rid=IDX),il faut modifier la ligne comme ceci: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) { + set $api "1"; + } +```` + +Toutes les adresses IPv6 et les adresses IPv4 du réseau local (192.168.0.0/24) sont autorisées pour l'API. +A ma connaissance, il n'y a pas moyen d'effectuer un tel filtre pour les adresses IPv6, vous pouvez donc retirer leur autorisation en enlevant ou en commentant la ligne suivante dans `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`: +```` +allow ::/1; +```` +Ceci autorisera seulement les adresses IPv4 local a accéder aux API de domoticz. +Vous pouvez ajouter des adresses IPv6 de la même façon. ## Documentation diff --git a/check_process b/check_process index 3ab463d..b9d9af3 100644 --- a/check_process +++ b/check_process @@ -13,11 +13,10 @@ pkg_linter=1 setup_sub_dir=1 setup_root=1 - setup_nourl=0 setup_private=1 setup_public=1 upgrade=1 -# upgrade=1 from_commit= + upgrade=1 from_commit=cf402923ff6feeead1c87555c6e9207b8c7f6595 backup_restore=1 multi_instance=0 port_already_use=1 diff --git a/conf/nginx.conf b/conf/nginx.conf index 7414aa6..67ff968 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,20 +1,18 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - # Path to source - #alias __FINALPATH__/ ; - proxy_http_version 1.1; - proxy_read_timeout 90; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded_Proto $scheme; - proxy_set_header X-Scheme $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - more_set_headers "X-Frame-Options: SAMEORIGIN"; + #Settings for main domoticz interface via web browser + proxy_http_version 1.1; + proxy_read_timeout 90; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded_Proto $scheme; + proxy_set_header X-Scheme $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + more_set_headers "X-Frame-Options: SAMEORIGIN"; proxy_pass http://localhost:__PORT__/; proxy_set_header Host $host; - #proxy_buffering off; # Force usage of https @@ -22,7 +20,49 @@ location __PATH__/ { rewrite ^ https://$server_name$request_uri? permanent; } - # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; +} + + +#sub_path_only rewrite ^api___PATH__$ api___PATH__/ permanent; +location __API_PATH__/ { + #Alternative path for api, only authorized json command will be accepted + + #allow only local network on IPv4 + allow 192.168.0.0/16; + #allow all address in IPv6 => how to filter? + allow ::/1; + deny all; + + proxy_http_version 1.1; + proxy_read_timeout 90; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded_Proto $scheme; + proxy_set_header X-Scheme $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + more_set_headers "X-Frame-Options: SAMEORIGIN"; + proxy_pass http://localhost:__PORT__/; + proxy_set_header Host $host; + + set $api "0"; + + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } + + if ($api = 0) { + return 403; + } + + # Force usage of https + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } + } \ No newline at end of file diff --git a/manifest.json b/manifest.json index 71d10f2..f461f3b 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Very light weight open sources home automation system that lets you monitor and configure miscellaneous devices", "fr": "Logiciel open sources et gratuit de domotique qui vous permet de configurer un grand nombre d'appareils" }, - "version": "2020.2~ynh1", + "version": "2020.2~ynh2", "url": "https://www.domoticz.com", "license": "GPL-3.0-or-later", "maintainer": { diff --git a/scripts/change_url b/scripts/change_url index 117a84a..4656f85 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -25,17 +25,25 @@ app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." --time --weight=1 +ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) +old_api=$(ynh_app_setting_get --app=$app --key=api_path) + +if [ "$new_path" == "/" ]; then + new_api=/api_/$app +else + new_api=/api_$new_path +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --time --weight=1 +ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --weight=5 # Backup the current version of the app ynh_backup_before_upgrade @@ -70,14 +78,14 @@ fi #================================================= # STOP SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Stopping a systemd service..." --time --weight=1 +ynh_script_progression --message="Stopping a systemd service..." --weight=2 ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating nginx web server configuration..." --time --weight=1 +ynh_script_progression --message="Updating nginx web server configuration..." --weight=1 nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf @@ -89,8 +97,10 @@ then # Set global variables for nginx helper domain="$old_domain" path_url="$new_path" + api_path="$new_api" # Create a dedicated nginx config - ynh_add_nginx_config + # Create a dedicated nginx config + ynh_add_nginx_config "api_path" fi # Change the domain for nginx @@ -111,17 +121,29 @@ fi #================================================= # GENERIC FINALISATION +#================================================= +# SETUP SSOWAT +#================================================= +ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1 + +# If the app is private, API should stays publicly accessible. +ynh_app_setting_delete --app=$app --key="api_path" +ynh_app_setting_set --app=$app --key="api_path" --value=$new_api +ynh_permission_url --permission domoticz_API --url "$new_domain$new_api" + + #================================================= # START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --time --weight=1 + +ynh_script_progression --message="Starting a systemd service..." --weight=2 ynh_systemd_action --service_name=$app --action="start" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." --time --weight=1 +ynh_script_progression --message="Reloading nginx web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload @@ -129,4 +151,4 @@ ynh_systemd_action --service_name=nginx --action=reload # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --time --last +ynh_script_progression --message="Change of URL completed for $app"--last diff --git a/scripts/install b/scripts/install index 8598b32..2217b28 100755 --- a/scripts/install +++ b/scripts/install @@ -29,6 +29,12 @@ path_url=$YNH_APP_ARG_PATH is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME +#Set dedicated variables +if [ "$path_url" == "/" ]; then + api_path=/api_/$app +else + api_path=/api_$path_url +fi #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= @@ -39,6 +45,8 @@ test ! -e "$final_path" || ynh_die --message="This path already contains a folde # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url +#ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path + #================================================= # STORE SETTINGS FROM MANIFEST @@ -53,6 +61,9 @@ ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=OS --value=$OS ynh_app_setting_set --app=$app --key=mach --value=$MACH +#path used by api to read/update domoticz +ynh_app_setting_set --app=$app --key=api_path --value=$api_path + #================================================= # STANDARD MODIFICATIONS @@ -63,8 +74,6 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH # Find an available port port=$(ynh_find_port --port=8080) ynh_app_setting_set --app=$app --key=port --value=$port -#Standard yunohost does not change __PORT__ in systemd.service -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" #================================================= # INSTALL DEPENDENCIES @@ -101,7 +110,7 @@ fi ynh_script_progression --message="Configuring nginx web server..." --weight=2 # Create a dedicated nginx config -ynh_add_nginx_config +ynh_add_nginx_config "api_path" #================================================= # CREATE DEDICATED USER @@ -128,16 +137,19 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app + #================================================= # SETUP SYSTEMD #================================================= ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config -ynh_add_systemd_config +ynh_add_systemd_config --others_var="port" #ynh_store_file_checksum --file="$final_path/CONFIG_FILE" + + #================================================= # GENERIC FINALIZATION #================================================= @@ -183,11 +195,13 @@ ynh_systemd_action --service_name=$app --action="start" ynh_script_progression --message="Configuring SSOwat..." --weight=1 # Make app public if necessary -if [ $is_public -eq 1 ] -then - # unprotected_uris allows SSO credentials to be passed anyway. +if [ $is_public -eq 1 ]; then ynh_permission_update --permission "main" --add visitors fi +#API should stay publicly accessible. +ynh_permission_create --permission="domoticz_API" --url="$domain$api_path" --allowed="visitors" + + #================================================= # RELOAD NGINX diff --git a/scripts/restore b/scripts/restore index ad9f96a..165a767 100755 --- a/scripts/restore +++ b/scripts/restore @@ -33,6 +33,7 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) backup_OS=$(ynh_app_setting_get --app=$app --key=OS) backup_mach=$(ynh_app_setting_get --app=$app --key=mach) +api_path=$(ynh_app_setting_get --app=$app --key=api_path) #================================================= # CHECK IF THE APP CAN BE RESTORED @@ -41,6 +42,8 @@ ynh_script_progression --message="Validating restoration parameters..." --weight ynh_webpath_available --domain=$domain --path_url=$path_url \ || ynh_die --message="Path not available: ${domain}${path_url}" +#ynh_webpath_available --domain=$domain --path_url=$api_path \ +# || ynh_die --message="Path not available: ${domain}${api_path}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " #As we are downloading compiled binaries for each system, we have to check if the restore occurs @@ -113,7 +116,7 @@ systemctl enable $app.service --quiet #================================================= ynh_script_progression --message="Integrating service in YunoHost..." --weight=1 -yunohost service add $app --description "A short description of the app" --log "/var/log/$app/$app.log" +yunohost service add $app --description "Domotique open sources" --log "/var/log/$app/$app.log" #================================================= # START SYSTEMD SERVICE diff --git a/scripts/upgrade b/scripts/upgrade index 17858a2..cc4a906 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -27,6 +27,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) current_OS=$(ynh_app_setting_get --app=$app --key=OS) current_mach=$(ynh_app_setting_get --app=$app --key=mach) +api_path=$(ynh_app_setting_get --app=$app --key=api_path) #================================================= # CHECK VERSION @@ -57,7 +58,7 @@ elif [ "$is_public" = "No" ]; then elif [ -z "$is_public" ]; then ynh_app_setting_set --app=$app --key=is_public --value=1 is_public=1 - ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentifaction." +ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentication." ynh_print_warn --message="if you require to set it as private, please use the authorization config panel in Users/Manage Groups and permissions" fi @@ -75,6 +76,25 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi +#Create a dedicated path for the api access +if [ -z "$api_path" ]; then + if [ "$path_url" == "/" ]; then + api_path=/api_/$app + else + api_path=/api_$path_url + fi + ynh_app_setting_set --app=$app --key=api_path --value=$api_path +fi + + +# Create the permission "domoticz_API" only if it doesn't exist. +if ! ynh_permission_exists --permission="domoticz_API" +then + # API Authorization with dedicated URL + ynh_permission_create --permission="domoticz_API" --url="$domain$api_path" --allowed="visitors" +fi + + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -102,19 +122,6 @@ fi # Exit if an error occurs during the execution of the script ynh_abort_if_errors -#================================================= -# CHECK THE PATH -#================================================= - - -# Normalize the URL path syntax -# N.B. : this is for app installations before YunoHost 2.7 -# where this value might be something like /foo/ or foo/ -# instead of /foo .... -# If nobody installed your app before 2.7, then you may -# safely remove this line -path_url=$(ynh_normalize_url_path --path_url=$path_url) - #================================================= # STANDARD UPGRADE STEPS #================================================= @@ -151,7 +158,7 @@ fi ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=1 # Create a dedicated nginx config -#ynh_add_nginx_config +ynh_add_nginx_config "api_path" #================================================= # UPGRADE DEPENDENCIES @@ -183,14 +190,14 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app + #================================================= # SETUP SYSTEMD #================================================= ynh_script_progression --message="Upgrading systemd configuration..." --weight=1 -#Standard yunohost does not change __PORT__ in systemd.service -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" + # Create a dedicated systemd config -ynh_add_systemd_config +ynh_add_systemd_config --others_var="port" #================================================= # MODIFY A CONFIG FILE