From 6aa7b1d28bcc83b7148db3564a4149af07fe1a2c Mon Sep 17 00:00:00 2001 From: Krakinou Date: Sat, 5 Dec 2020 23:08:32 +0100 Subject: [PATCH] API madness --- .gitignore | 1 + README.md | 37 +++++++++++++++++++++++++++- README_fr.md | 38 ++++++++++++++++++++++++++++- conf/nginx.conf | 48 +++++++++++++++++++++++++++++++++---- hooks/post_app_addaccess | 30 ----------------------- hooks/post_app_removeaccess | 23 ------------------ scripts/change_url | 16 +++++-------- scripts/install | 33 +++++++++---------------- scripts/restore | 3 +++ scripts/upgrade | 31 ++++++++++-------------- 10 files changed, 151 insertions(+), 109 deletions(-) delete mode 100644 hooks/post_app_addaccess delete mode 100644 hooks/post_app_removeaccess diff --git a/.gitignore b/.gitignore index 783a4ae..abf52e7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ *~ *.sw[op] +/hooks/ diff --git a/README.md b/README.md index eacabe2..fc83019 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,42 @@ Once installed, **updates from the uptream app are managed from within the app.* ## Configuration -All the configuration of the app take place inside the app itself. +### Sensors, language and this kind of stuff +Main configuration of the app take place inside the app itself. + +### Access and API +By default, access for the [JSON API](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) is allowed on following path `/yourdomain.tld/api_/domoticzpath`. +So if you access domoticz via https://mydomainname.tld/domoticz, use the following webpath for the api : `https://mydomainname.tld/api_/domoticz/json.htm?yourapicommand` + +By default, only sensor updates and switch toogle are authorized. To authorized a new command, you have (for now) to manually update the nginx config file : +```` +sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf +``` +Then edit the following block by adding the regex of the command you want to allow: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } +```` +For example, to add the json command to retrieve the status of a device (/json.htm?type=devices&rid=IDX),modify the line as this: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) { + set $api "1"; + } +```` + +All IPv6 and IPv4 address within the local network (192.168.0.0/24) are authorized as API. +As far as I know, there is no way to use such filter for IPv6 address : You may remove the authorization by removing or commenting this line in `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`: +```` +allow ::/1; +```` +This will authorized only IPv4 within local network to access your domoticz API. ## Documentation diff --git a/README_fr.md b/README_fr.md index ab352bb..ed33a83 100644 --- a/README_fr.md +++ b/README_fr.md @@ -35,7 +35,43 @@ Une fois installée, **les mises à jour de l'application sont gérées depuis l ## Configuration -Toute la configuration a lieu à l'intérieur de l'application elle-même. +### Senseurs, langue et ce genre de choses +Toute la configuration de l'application a lieu dans l'application elle même +Main configuration of the app take place inside the app itself. + +### Accès et API +Par défaut, l'accès aux [API JSON](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) est autorisé sur cette URL `/votredomaine.tld/api_/chemindedomoticz`. +Donc, si vous accédez à domoticz par https://votredomaine.tld/domoticz, utilisez le chemin suivant pour l'api:`https://votredomaine.tld/api_/domoticz/json.htm?votrecommandeapi` + +Par défaut, seuls la mise à jour de senseur et les interrupteurs sont autorisés. Pour autoriser une nouvelle commande, vous devez (pour l'instant) manuellement éditer le fichier de configuration nginx : +```` +sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf +``` +Puis éditer le bloc suivant en y ajoutant le regex de la commmande à autoriser : +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } +```` +Par exemple, pour ajouter la commmande json pour retrouver le statut d'un équipement (/json.htm?type=devices&rid=IDX),il faut modifier la ligne comme ceci: +```` + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) { + set $api "1"; + } +```` + +Toutes les adresses IPv6 et les adresses IPv4 du réseau local (192.168.0.0/24) sont autorisées pour l'API. +A ma connaissance, il n'y a pas moyen d'effectuer un tel filtre pour les adresses IPv6, vous pouvez donc retirer leur autorisation en enlevant ou en commentant la ligne suivante dans `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`: +```` +allow ::/1; +```` +Ceci autorisera seulement les adresses IPv4 local a accéder aux API de domoticz. ## Documentation diff --git a/conf/nginx.conf b/conf/nginx.conf index 35e457e..f61437a 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,8 +1,7 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - # Path to source - #alias __FINALPATH__/ ; + #Settings for main domoticz interface via web browser proxy_http_version 1.1; proxy_read_timeout 90; proxy_set_header X-Real-IP $remote_addr; @@ -14,7 +13,6 @@ location __PATH__/ { more_set_headers "X-Frame-Options: SAMEORIGIN"; proxy_pass http://localhost:__PORT__/; proxy_set_header Host $host; - #proxy_buffering off; # Force usage of https @@ -22,7 +20,49 @@ location __PATH__/ { rewrite ^ https://$server_name$request_uri? permanent; } - # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; +} + + +#sub_path_only rewrite ^api___PATH__$ api___PATH__/ permanent; +location api___PATH__/ { + #Alternative path for api, only authorized json command will be accepted + + #allow only local network on IPv4 + allow 192.168.0.0/16; + #allow all address in IPv6 => how to filter? + allow ::/1; + deny all; + + proxy_http_version 1.1; + proxy_read_timeout 90; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded_Proto $scheme; + proxy_set_header X-Scheme $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + more_set_headers "X-Frame-Options: SAMEORIGIN"; + proxy_pass http://localhost:__PORT__/; + proxy_set_header Host $host; + + set $api "0"; + + #set the list of authorized json command here in regex format + #you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's + #By default, sensors updates and toggle switch are authorized + if ( $args ~* type=command¶m=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command¶m=switchlight&idx=[0-9]*&switchcmd=Toggle$) { + set $api "1"; + } + + if ($api = 0) { + return 403; + } + + # Force usage of https + if ($scheme = http) { + rewrite ^ https://$server_name$request_uri? permanent; + } + } \ No newline at end of file diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess deleted file mode 100644 index 90e83ed..0000000 --- a/hooks/post_app_addaccess +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -# Source app helpers -source /usr/share/yunohost/helpers - -app=$1 -added_users=$2 -permission=$3 -added_groups=$4 - -if [ "$app" == __APP__ ]; then - if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. - if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. - domain=$(ynh_app_setting_get --app=$app --key=domain) - path_url=$(ynh_app_setting_get --app=$app --key=path) - - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" - - yunohost app ssowatconf - else - ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." - fi - fi -fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess deleted file mode 100644 index 127472c..0000000 --- a/hooks/post_app_removeaccess +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -# Source app helpers -source /usr/share/yunohost/helpers - -app=$1 -removed_users=$2 -permission=$3 -removed_groups=$4 - -if [ "$app" == __APP__ ]; then - if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. - if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. - - # We remove the regex, no more protection is needed. - ynh_app_setting_delete --app=$app --key=unprotected_regex - - yunohost app ssowatconf - else - ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." - fi - fi -fi \ No newline at end of file diff --git a/scripts/change_url b/scripts/change_url index 45dd39f..dc94edb 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -19,6 +19,8 @@ old_path=$YNH_APP_OLD_PATH new_domain=$YNH_APP_NEW_DOMAIN new_path=$YNH_APP_NEW_PATH +old_api=/api_$old_path +new_api=/api_$new_path app=$YNH_APP_INSTANCE_NAME @@ -117,16 +119,10 @@ fi ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1 # If the app is private, API should stays publicly accessible. -if [ $is_public -eq 0 ] -then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$new_domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" -fi +ynh_app_setting_delete --app=$app --key="api_path" +ynh_app_setting_set --app=$app --key="api_path" --value=$new_api + +ynh_permission_url --permission="domoticz_API" --url="$new_domain$new_api" --allowed="visitors" #================================================= diff --git a/scripts/install b/scripts/install index 056451c..f5dde79 100755 --- a/scripts/install +++ b/scripts/install @@ -29,6 +29,9 @@ path_url=$YNH_APP_ARG_PATH is_public=$YNH_APP_ARG_IS_PUBLIC app=$YNH_APP_INSTANCE_NAME +#Set dedicated variables +api_path=/api_$path_url + #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= @@ -39,6 +42,8 @@ test ! -e "$final_path" || ynh_die --message="This path already contains a folde # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url +#ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path + #================================================= # STORE SETTINGS FROM MANIFEST @@ -53,6 +58,9 @@ ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=OS --value=$OS ynh_app_setting_set --app=$app --key=mach --value=$MACH +#path used by api to read/update domoticz +ynh_app_setting_set --app=$app --key=api_path --value=$api_path + #================================================= # STANDARD MODIFICATIONS @@ -63,8 +71,6 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH # Find an available port port=$(ynh_find_port --port=8080) ynh_app_setting_set --app=$app --key=port --value=$port -#Standard yunohost does not change __PORT__ in systemd.service -#ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" #================================================= # INSTALL DEPENDENCIES @@ -128,13 +134,6 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app -#================================================= -# SETUP HOOKS FILE -#================================================= - -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess" -ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess" - #================================================= # SETUP SYSTEMD @@ -195,20 +194,10 @@ ynh_script_progression --message="Configuring SSOwat..." --weight=1 # Make app public if necessary if [ $is_public -eq 1 ]; then ynh_permission_update --permission "main" --add visitors -else - # If the app is private, API should stays publicly accessible. - # This is a fake permission without any URL. - # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. - # We can't use a real permission for now because the actual permision system doesn't support regex. - ynh_permission_create --permission="domoticz_API" --allowed="visitors" - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi -# # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" fi +#API should stay publicly accessible. +ynh_permission_create --permission="domoticz_API" --url="$domain$api_path" --allowed="visitors" + #================================================= diff --git a/scripts/restore b/scripts/restore index ad9f96a..4305630 100755 --- a/scripts/restore +++ b/scripts/restore @@ -33,6 +33,7 @@ path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) backup_OS=$(ynh_app_setting_get --app=$app --key=OS) backup_mach=$(ynh_app_setting_get --app=$app --key=mach) +api_path=$(ynh_app_setting_get --app=$app --key=api_path) #================================================= # CHECK IF THE APP CAN BE RESTORED @@ -41,6 +42,8 @@ ynh_script_progression --message="Validating restoration parameters..." --weight ynh_webpath_available --domain=$domain --path_url=$path_url \ || ynh_die --message="Path not available: ${domain}${path_url}" +#ynh_webpath_available --domain=$domain --path_url=$api_path \ +# || ynh_die --message="Path not available: ${domain}${api_path}" test ! -d $final_path \ || ynh_die --message="There is already a directory: $final_path " #As we are downloading compiled binaries for each system, we have to check if the restore occurs diff --git a/scripts/upgrade b/scripts/upgrade index 580d6e2..39b4427 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -27,6 +27,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) port=$(ynh_app_setting_get --app=$app --key=port) current_OS=$(ynh_app_setting_get --app=$app --key=OS) current_mach=$(ynh_app_setting_get --app=$app --key=mach) +api_path=$(ynh_app_setting_get --app=$app --key=api_path) #================================================= # CHECK VERSION @@ -57,7 +58,7 @@ elif [ "$is_public" = "No" ]; then elif [ -z "$is_public" ]; then ynh_app_setting_set --app=$app --key=is_public --value=1 is_public=1 - ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentifaction." +ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentication." ynh_print_warn --message="if you require to set it as private, please use the authorization config panel in Users/Manage Groups and permissions" fi @@ -75,25 +76,19 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi +#Create a dedicated path for the api access +if [ -z "$api_path" ]; then + api_path=/api_$path_url + ynh_app_setting_set --app=$app --key=final_path --value=$final_path +# ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path +fi + + # Create the permission "domoticz_API" only if it doesn't exist. if ! ynh_permission_exists --permission="domoticz_API" then - # This is a fake permission without any URL. - # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. - # We can't use a real permission for now because the actual permision system doesn't support regex. - ynh_permission_create --permission="domoticz_API" --allowed="visitors" - - # Make API public if necessary - if [ $is_public -eq 0 ] - then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" - fi + # API Authorization wit dedicated URL + ynh_permission_create --permission="domoticz_API" ---url="$domain$api_path" --allowed="visitors" fi @@ -173,7 +168,7 @@ fi ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=1 # Create a dedicated nginx config -#ynh_add_nginx_config +ynh_add_nginx_config #================================================= # UPGRADE DEPENDENCIES