API madness

.gitignore

@@ -1,2 +1,3 @@
 *~
 *.sw[op]
+/hooks/

README.md

@@ -37,7 +37,42 @@ Once installed, **updates from the uptream app are managed from within the app.*
 
 ## Configuration
 
-All the configuration of the app take place inside the app itself.
+### Sensors, language and this kind of stuff
+Main configuration of the app take place inside the app itself.
+
+### Access and API
+By default, access for the [JSON API](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) is allowed on following path `/yourdomain.tld/api_/domoticzpath`.
+So if you access domoticz via https://mydomainname.tld/domoticz, use the following webpath for the api : `https://mydomainname.tld/api_/domoticz/json.htm?yourapicommand`
+
+By default, only sensor updates and switch toogle are authorized. To authorized a new command, you have (for now) to manually update the nginx config file :
+````
+sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf
+```
+Then edit the following block by adding the regex of the command you want to allow:
+````
+  #set the list of authorized json command here in regex format
+  #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
+  #By default, sensors updates and toggle switch are authorized
+  if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$) {
+    set $api "1";
+    }
+````
+For example, to add the json command to retrieve the status of a device (/json.htm?type=devices&rid=IDX),modify the line as this:
+````
+  #set the list of authorized json command here in regex format
+  #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
+  #By default, sensors updates and toggle switch are authorized
+  if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) {
+    set $api "1";
+    }
+````
+
+All IPv6 and IPv4 address within the local network (192.168.0.0/24) are authorized as API.
+As far as I know, there is no way to use such filter for IPv6 address : You may remove the authorization by removing or commenting this line in `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`:
+````
+allow ::/1;
+````
+This will authorized only IPv4 within local network to access your domoticz API.
 
 
 ## Documentation

README_fr.md

@@ -35,7 +35,43 @@ Une fois installée, **les mises à jour de l'application sont gérées depuis l
 
 ## Configuration
 
-Toute la configuration a lieu à l'intérieur de l'application elle-même.
+### Senseurs, langue et ce genre de choses
+Toute la configuration de l'application a lieu dans l'application elle même
+Main configuration of the app take place inside the app itself.
+
+### Accès et API
+Par défaut, l'accès aux [API JSON](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) est autorisé sur cette URL `/votredomaine.tld/api_/chemindedomoticz`.
+Donc, si vous accédez à domoticz par https://votredomaine.tld/domoticz, utilisez le chemin suivant pour l'api:`https://votredomaine.tld/api_/domoticz/json.htm?votrecommandeapi`
+
+Par défaut, seuls la mise à jour de senseur et les interrupteurs sont autorisés. Pour autoriser une nouvelle commande, vous devez (pour l'instant) manuellement éditer le fichier de configuration nginx :
+````
+sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf
+```
+Puis éditer le bloc suivant en y ajoutant le regex de la commmande à autoriser :
+````
+  #set the list of authorized json command here in regex format
+  #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
+  #By default, sensors updates and toggle switch are authorized
+  if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$) {
+    set $api "1";
+    }
+````
+Par exemple, pour ajouter la commmande json pour retrouver le statut d'un équipement (/json.htm?type=devices&rid=IDX),il faut modifier la ligne comme ceci:
+````
+  #set the list of authorized json command here in regex format
+  #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
+  #By default, sensors updates and toggle switch are authorized
+  if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) {
+    set $api "1";
+    }
+````
+
+Toutes les adresses IPv6 et les adresses IPv4 du réseau local (192.168.0.0/24) sont autorisées pour l'API.
+A ma connaissance, il n'y a pas moyen d'effectuer un tel filtre pour les adresses IPv6, vous pouvez donc retirer leur autorisation en enlevant ou en commentant la ligne suivante dans `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`:
+````
+allow ::/1;
+````
+Ceci autorisera seulement les adresses IPv4 local a accéder aux API de domoticz.
 
 ## Documentation
 

conf/nginx.conf

@@ -1,8 +1,7 @@
 #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
 location __PATH__/ {
 
-  # Path to source
-  #alias __FINALPATH__/ ;
+  #Settings for main domoticz interface via web browser
   proxy_http_version 1.1;
   proxy_read_timeout 90;
   proxy_set_header X-Real-IP $remote_addr;
@@ -14,7 +13,6 @@ location __PATH__/ {
   more_set_headers "X-Frame-Options: SAMEORIGIN";
   proxy_pass http://localhost:__PORT__/;
   proxy_set_header Host $host;
-  #proxy_buffering off;
   
 
   # Force usage of https
@@ -22,7 +20,49 @@ location __PATH__/ {
     rewrite ^ https://$server_name$request_uri? permanent;
   }
 
-
   # Include SSOWAT user panel.
   include conf.d/yunohost_panel.conf.inc;
+}
+
+
+#sub_path_only rewrite ^api___PATH__$ api___PATH__/ permanent;
+location api___PATH__/ {
+  #Alternative path for api, only authorized json command will be accepted
+
+  #allow only local network on IPv4
+  allow 192.168.0.0/16;
+  #allow all address in IPv6 => how to filter?
+  allow ::/1;
+  deny all;
+
+  proxy_http_version 1.1;
+  proxy_read_timeout 90;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded_Proto $scheme;
+  proxy_set_header X-Scheme $scheme;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+  more_set_headers "X-Frame-Options: SAMEORIGIN";
+  proxy_pass http://localhost:__PORT__/;
+  proxy_set_header Host $host;
+  
+  set $api "0";
+  
+  #set the list of authorized json command here in regex format
+  #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
+  #By default, sensors updates and toggle switch are authorized
+  if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$) {
+    set $api "1";
+  }
+
+  if ($api = 0) {
+    return 403;
+  }
+
+  # Force usage of https
+  if ($scheme = http) {
+    rewrite ^ https://$server_name$request_uri? permanent;
+  }
+
 }

hooks/post_app_addaccess

@@ -1,30 +0,0 @@
-#!/bin/bash
-
-# Source app helpers
-source /usr/share/yunohost/helpers
-
-app=$1
-added_users=$2
-permission=$3
-added_groups=$4
-
-if [ "$app" == __APP__ ]; then
-    if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed.
-        if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
-            domain=$(ynh_app_setting_get --app=$app --key=domain)
-            path_url=$(ynh_app_setting_get --app=$app --key=path)
-
-            if [ "$path_url" == "/" ]; then
-                # If the path is /, clear it to prevent any error with the regex.
-                path_url=""
-            fi
-            # Modify the domain to be used in a regex
-            domain_regex=$(echo "$domain" | sed 's@-@.@g')
-            ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
-
-            yunohost app ssowatconf
-        else
-            ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
-        fi
-    fi
-fi

hooks/post_app_removeaccess

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-# Source app helpers
-source /usr/share/yunohost/helpers
-
-app=$1
-removed_users=$2
-permission=$3
-removed_groups=$4
-
-if [ "$app" == __APP__ ]; then
-    if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed.
-        if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
-
-            # We remove the regex, no more protection is needed.
-            ynh_app_setting_delete --app=$app --key=unprotected_regex
-
-            yunohost app ssowatconf
-        else
-            ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
-        fi
-    fi
-fi

scripts/change_url

@@ -19,6 +19,8 @@ old_path=$YNH_APP_OLD_PATH
 new_domain=$YNH_APP_NEW_DOMAIN
 new_path=$YNH_APP_NEW_PATH
 
+old_api=/api_$old_path
+new_api=/api_$new_path
 
 app=$YNH_APP_INSTANCE_NAME
 
@@ -117,16 +119,10 @@ fi
 ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1
 
 # If the app is private, API should stays publicly accessible.
-if [ $is_public -eq 0 ]
-then
-	if [ "$path_url" == "/" ]; then
-	    # If the path is /, clear it to prevent any error with the regex.
-	    path_url=""
-	fi
-	# Modify the domain to be used in a regex
-	domain_regex=$(echo "$new_domain" | sed 's@-@.@g')
-	ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
-fi
+ynh_app_setting_delete --app=$app --key="api_path"
+ynh_app_setting_set --app=$app --key="api_path" --value=$new_api
+
+ynh_permission_url --permission="domoticz_API" --url="$new_domain$new_api" --allowed="visitors"
 
 
 #=================================================

scripts/install

@@ -29,6 +29,9 @@ path_url=$YNH_APP_ARG_PATH
 is_public=$YNH_APP_ARG_IS_PUBLIC
 app=$YNH_APP_INSTANCE_NAME
 
+#Set dedicated variables
+api_path=/api_$path_url
+
 #=================================================
 # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
 #=================================================
@@ -39,6 +42,8 @@ test ! -e "$final_path" || ynh_die --message="This path already contains a folde
 
 # Register (book) web path
 ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
+#ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path
+
 
 #=================================================
 # STORE SETTINGS FROM MANIFEST
@@ -53,6 +58,9 @@ ynh_app_setting_set --app=$app --key=is_public --value=$is_public
 ynh_app_setting_set --app=$app --key=OS --value=$OS
 ynh_app_setting_set --app=$app --key=mach --value=$MACH
 
+#path used by api to read/update domoticz
+ynh_app_setting_set --app=$app --key=api_path --value=$api_path
+
 
 #=================================================
 # STANDARD MODIFICATIONS
@@ -63,8 +71,6 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH
 # Find an available port
 port=$(ynh_find_port --port=8080)
 ynh_app_setting_set --app=$app --key=port --value=$port
-#Standard yunohost does not change __PORT__ in systemd.service
-#ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service"
 
 #=================================================
 # INSTALL DEPENDENCIES
@@ -128,13 +134,6 @@ chmod 440 /etc/sudoers.d/$app
 mkdir -p /var/log/$app
 chown -R domoticz: /var/log/$app
 
-#=================================================
-# SETUP HOOKS FILE
-#=================================================
-
-ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
-ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
-
 
 #=================================================
 # SETUP SYSTEMD
@@ -195,20 +194,10 @@ ynh_script_progression --message="Configuring SSOwat..." --weight=1
 # Make app public if necessary
 if [ $is_public -eq 1 ]; then
 	ynh_permission_update --permission "main" --add visitors
-else
-	# If the app is private, API should stays publicly accessible.
-	# This is a fake permission without any URL.
-	# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
-	# We can't use a real permission for now because the actual permision system doesn't support regex.
-	ynh_permission_create --permission="domoticz_API" --allowed="visitors"	
-	if [ "$path_url" == "/" ]; then
-		# If the path is /, clear it to prevent any error with the regex.
-		path_url=""
-	fi
-#	# Modify the domain to be used in a regex
-	domain_regex=$(echo "$domain" | sed 's@-@.@g')
-	ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
 fi
+#API should stay publicly accessible.
+ynh_permission_create --permission="domoticz_API" --url="$domain$api_path" --allowed="visitors"
+
 
 
 #=================================================

scripts/restore

@@ -33,6 +33,7 @@ path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 backup_OS=$(ynh_app_setting_get --app=$app --key=OS)
 backup_mach=$(ynh_app_setting_get --app=$app --key=mach)
+api_path=$(ynh_app_setting_get --app=$app --key=api_path)
 
 #=================================================
 # CHECK IF THE APP CAN BE RESTORED
@@ -41,6 +42,8 @@ ynh_script_progression --message="Validating restoration parameters..." --weight
 
 ynh_webpath_available --domain=$domain --path_url=$path_url \
 	|| ynh_die --message="Path not available: ${domain}${path_url}"
+#ynh_webpath_available --domain=$domain --path_url=$api_path \
+#	|| ynh_die --message="Path not available: ${domain}${api_path}"
 test ! -d $final_path \
 	|| ynh_die --message="There is already a directory: $final_path "
 #As we are downloading compiled binaries for each system, we have to check if the restore occurs

scripts/upgrade

@@ -27,6 +27,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 port=$(ynh_app_setting_get --app=$app --key=port)
 current_OS=$(ynh_app_setting_get --app=$app --key=OS)
 current_mach=$(ynh_app_setting_get --app=$app --key=mach)
+api_path=$(ynh_app_setting_get --app=$app --key=api_path)
 
 #=================================================
 # CHECK VERSION
@@ -57,7 +58,7 @@ elif [ "$is_public" = "No" ]; then
 elif [ -z "$is_public" ]; then
 	ynh_app_setting_set --app=$app --key=is_public --value=1
 	is_public=1
-	ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentifaction."
+ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentication."
 	ynh_print_warn --message="if you require to set it as private, please use the authorization config panel in Users/Manage Groups and permissions"
 fi
 
@@ -75,25 +76,19 @@ if [ -z "$final_path" ]; then
 	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 fi
 
+#Create a dedicated path for the api access
+if [ -z "$api_path" ]; then
+	api_path=/api_$path_url
+	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
+#	ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path
+fi
+
+
 # Create the permission "domoticz_API" only if it doesn't exist.
 if ! ynh_permission_exists --permission="domoticz_API"
 then
-	# This is a fake permission without any URL.
-	# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
-	# We can't use a real permission for now because the actual permision system doesn't support regex.
-	ynh_permission_create --permission="domoticz_API" --allowed="visitors"
-
-	# Make API public if necessary
-	if [ $is_public -eq 0 ]
-	then
-		if [ "$path_url" == "/" ]; then
-			# If the path is /, clear it to prevent any error with the regex.
-			path_url=""
-		fi
-		# Modify the domain to be used in a regex
-		domain_regex=$(echo "$domain" | sed 's@-@.@g')
-		ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
-	fi
+	# API Authorization wit dedicated URL
+	ynh_permission_create --permission="domoticz_API" ---url="$domain$api_path" --allowed="visitors"
 fi
 
 
@@ -173,7 +168,7 @@ fi
 ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=1
 
 # Create a dedicated nginx config
-#ynh_add_nginx_config
+ynh_add_nginx_config
 
 #=================================================
 # UPGRADE DEPENDENCIES