YunoHost-Apps/domoticz_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/domoticz_ynh.git synced 2024-09-03 18:26:17 +02:00
Code Issues Activity Actions

API madness

Browse source
This commit is contained in:
Krakinou 2020-12-05 23:08:32 +01:00
parent dfce441b1c
commit 6aa7b1d28b
10 changed files with 151 additions and 109 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1,2 +1,3 @@
*~
*.sw[op]
/hooks/

37
README.md
View file

@ -37,7 +37,42 @@ Once installed, **updates from the uptream app are managed from within the app.*
## Configuration
All the configuration of the app take place inside the app itself.
### Sensors, language and this kind of stuff
Main configuration of the app take place inside the app itself.
### Access and API
By default, access for the [JSON API](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) is allowed on following path `/yourdomain.tld/api_/domoticzpath`.
So if you access domoticz via https://mydomainname.tld/domoticz, use the following webpath for the api : `https://mydomainname.tld/api_/domoticz/json.htm?yourapicommand`
By default, only sensor updates and switch toogle are authorized. To authorized a new command, you have (for now) to manually update the nginx config file :
````
sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf
```
Then edit the following block by adding the regex of the command you want to allow:
````
#set the list of authorized json command here in regex format
#you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
#By default, sensors updates and toggle switch are authorized
if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$) {
set $api "1";
}
````
For example, to add the json command to retrieve the status of a device (/json.htm?type=devices&rid=IDX),modify the line as this:
````
#set the list of authorized json command here in regex format
#you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
#By default, sensors updates and toggle switch are authorized
if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) {
set $api "1";
}
````
All IPv6 and IPv4 address within the local network (192.168.0.0/24) are authorized as API.
As far as I know, there is no way to use such filter for IPv6 address : You may remove the authorization by removing or commenting this line in `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`:
````
allow ::/1;
````
This will authorized only IPv4 within local network to access your domoticz API.
## Documentation

38
README_fr.md
View file

@ -35,7 +35,43 @@ Une fois installée, **les mises à jour de l'application sont gérées depuis l
## Configuration
Toute la configuration a lieu à l'intérieur de l'application elle-même.
### Senseurs, langue et ce genre de choses
Toute la configuration de l'application a lieu dans l'application elle même
Main configuration of the app take place inside the app itself.
### Accès et API
Par défaut, l'accès aux [API JSON](https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's) est autorisé sur cette URL `/votredomaine.tld/api_/chemindedomoticz`.
Donc, si vous accédez à domoticz par https://votredomaine.tld/domoticz, utilisez le chemin suivant pour l'api:`https://votredomaine.tld/api_/domoticz/json.htm?votrecommandeapi`
Par défaut, seuls la mise à jour de senseur et les interrupteurs sont autorisés. Pour autoriser une nouvelle commande, vous devez (pour l'instant) manuellement éditer le fichier de configuration nginx :
````
sudo nano /etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf
```
Puis éditer le bloc suivant en y ajoutant le regex de la commmande à autoriser :
````
#set the list of authorized json command here in regex format
#you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
#By default, sensors updates and toggle switch are authorized
if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$) {
set $api "1";
}
````
Par exemple, pour ajouter la commmande json pour retrouver le statut d'un équipement (/json.htm?type=devices&rid=IDX),il faut modifier la ligne comme ceci:
````
#set the list of authorized json command here in regex format
#you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
#By default, sensors updates and toggle switch are authorized
if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$|type=devices&rid=[0-9]* ) {
set $api "1";
}
````
Toutes les adresses IPv6 et les adresses IPv4 du réseau local (192.168.0.0/24) sont autorisées pour l'API.
A ma connaissance, il n'y a pas moyen d'effectuer un tel filtre pour les adresses IPv6, vous pouvez donc retirer leur autorisation en enlevant ou en commentant la ligne suivante dans `/etc/nginx/conf.d/yourdomain.tld.d/domoticz.conf`:
````
allow ::/1;
````
Ceci autorisera seulement les adresses IPv4 local a accéder aux API de domoticz.
## Documentation

48
conf/nginx.conf
View file

@ -1,8 +1,7 @@
#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent;
location __PATH__/ {
# Path to source
#alias __FINALPATH__/ ;
#Settings for main domoticz interface via web browser
proxy_http_version 1.1;
proxy_read_timeout 90;
proxy_set_header X-Real-IP $remote_addr;
@ -14,7 +13,6 @@ location __PATH__/ {
more_set_headers "X-Frame-Options: SAMEORIGIN";
proxy_pass http://localhost:__PORT__/;
proxy_set_header Host $host;
#proxy_buffering off;
# Force usage of https
@ -22,7 +20,49 @@ location __PATH__/ {
rewrite ^ https://$server_name$request_uri? permanent;
}
# Include SSOWAT user panel.
include conf.d/yunohost_panel.conf.inc;
}
#sub_path_only rewrite ^api___PATH__$ api___PATH__/ permanent;
location api___PATH__/ {
#Alternative path for api, only authorized json command will be accepted
#allow only local network on IPv4
allow 192.168.0.0/16;
#allow all address in IPv6 => how to filter?
allow ::/1;
deny all;
proxy_http_version 1.1;
proxy_read_timeout 90;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded_Proto $scheme;
proxy_set_header X-Scheme $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
more_set_headers "X-Frame-Options: SAMEORIGIN";
proxy_pass http://localhost:__PORT__/;
proxy_set_header Host $host;
set $api "0";
#set the list of authorized json command here in regex format
#you may retrieve the command from https://www.domoticz.com/wiki/Domoticz_API/JSON_URL's
#By default, sensors updates and toggle switch are authorized
if ( $args ~* type=command&param=udevice&idx=[0-9]*&nvalue=[0-9]*&svalue=.*$|type=command&param=switchlight&idx=[0-9]*&switchcmd=Toggle$) {
set $api "1";
}
if ($api = 0) {
return 403;
}
# Force usage of https
if ($scheme = http) {
rewrite ^ https://$server_name$request_uri? permanent;
}
}

30
hooks/post_app_addaccess
View file

@ -1,30 +0,0 @@
#!/bin/bash
# Source app helpers
source /usr/share/yunohost/helpers
app=$1
added_users=$2
permission=$3
added_groups=$4
if [ "$app" == __APP__ ]; then
if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed.
if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path)
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
yunohost app ssowatconf
else
ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
fi
fi
fi

23
hooks/post_app_removeaccess
View file

@ -1,23 +0,0 @@
#!/bin/bash
# Source app helpers
source /usr/share/yunohost/helpers
app=$1
removed_users=$2
permission=$3
removed_groups=$4
if [ "$app" == __APP__ ]; then
if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed.
if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
# We remove the regex, no more protection is needed.
ynh_app_setting_delete --app=$app --key=unprotected_regex
yunohost app ssowatconf
else
ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
fi
fi
fi

16
scripts/change_url
View file

@ -19,6 +19,8 @@ old_path=$YNH_APP_OLD_PATH
new_domain=$YNH_APP_NEW_DOMAIN
new_path=$YNH_APP_NEW_PATH
old_api=/api_$old_path
new_api=/api_$new_path
app=$YNH_APP_INSTANCE_NAME
@ -117,16 +119,10 @@ fi
ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1
# If the app is private, API should stays publicly accessible.
if [ $is_public -eq 0 ]
then
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$new_domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
fi
ynh_app_setting_delete --app=$app --key="api_path"
ynh_app_setting_set --app=$app --key="api_path" --value=$new_api
ynh_permission_url --permission="domoticz_API" --url="$new_domain$new_api" --allowed="visitors"
#=================================================

33
scripts/install
View file

@ -29,6 +29,9 @@ path_url=$YNH_APP_ARG_PATH
is_public=$YNH_APP_ARG_IS_PUBLIC
app=$YNH_APP_INSTANCE_NAME
#Set dedicated variables
api_path=/api_$path_url
#=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#=================================================
@ -39,6 +42,8 @@ test ! -e "$final_path" || ynh_die --message="This path already contains a folde
# Register (book) web path
ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
#ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path
#=================================================
# STORE SETTINGS FROM MANIFEST
@ -53,6 +58,9 @@ ynh_app_setting_set --app=$app --key=is_public --value=$is_public
ynh_app_setting_set --app=$app --key=OS --value=$OS
ynh_app_setting_set --app=$app --key=mach --value=$MACH
#path used by api to read/update domoticz
ynh_app_setting_set --app=$app --key=api_path --value=$api_path
#=================================================
# STANDARD MODIFICATIONS
@ -63,8 +71,6 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH
# Find an available port
port=$(ynh_find_port --port=8080)
ynh_app_setting_set --app=$app --key=port --value=$port
#Standard yunohost does not change __PORT__ in systemd.service
#ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service"
#=================================================
# INSTALL DEPENDENCIES
@ -128,13 +134,6 @@ chmod 440 /etc/sudoers.d/$app
mkdir -p /var/log/$app
chown -R domoticz: /var/log/$app
#=================================================
# SETUP HOOKS FILE
#=================================================
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
#=================================================
# SETUP SYSTEMD
@ -195,20 +194,10 @@ ynh_script_progression --message="Configuring SSOwat..." --weight=1
# Make app public if necessary
if [ $is_public -eq 1 ]; then
ynh_permission_update --permission "main" --add visitors
else
# If the app is private, API should stays publicly accessible.
# This is a fake permission without any URL.
# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
# We can't use a real permission for now because the actual permision system doesn't support regex.
ynh_permission_create --permission="domoticz_API" --allowed="visitors"
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# # Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
fi
#API should stay publicly accessible.
ynh_permission_create --permission="domoticz_API" --url="$domain$api_path" --allowed="visitors"
#=================================================

3
scripts/restore
View file

@ -33,6 +33,7 @@ path_url=$(ynh_app_setting_get --app=$app --key=path)
final_path=$(ynh_app_setting_get --app=$app --key=final_path)
backup_OS=$(ynh_app_setting_get --app=$app --key=OS)
backup_mach=$(ynh_app_setting_get --app=$app --key=mach)
api_path=$(ynh_app_setting_get --app=$app --key=api_path)
#=================================================
# CHECK IF THE APP CAN BE RESTORED
@ -41,6 +42,8 @@ ynh_script_progression --message="Validating restoration parameters..." --weight
ynh_webpath_available --domain=$domain --path_url=$path_url \
|| ynh_die --message="Path not available: ${domain}${path_url}"
#ynh_webpath_available --domain=$domain --path_url=$api_path \
# || ynh_die --message="Path not available: ${domain}${api_path}"
test ! -d $final_path \
|| ynh_die --message="There is already a directory: $final_path "
#As we are downloading compiled binaries for each system, we have to check if the restore occurs

31
scripts/upgrade
View file

@ -27,6 +27,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
port=$(ynh_app_setting_get --app=$app --key=port)
current_OS=$(ynh_app_setting_get --app=$app --key=OS)
current_mach=$(ynh_app_setting_get --app=$app --key=mach)
api_path=$(ynh_app_setting_get --app=$app --key=api_path)
#=================================================
# CHECK VERSION
@ -57,7 +58,7 @@ elif [ "$is_public" = "No" ]; then
elif [ -z "$is_public" ]; then
ynh_app_setting_set --app=$app --key=is_public --value=1
is_public=1
ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentifaction."
ynh_print_warn --message="Application was set as public in the previous version,meaning it's available without authentication."
ynh_print_warn --message="if you require to set it as private, please use the authorization config panel in Users/Manage Groups and permissions"
fi
@ -75,25 +76,19 @@ if [ -z "$final_path" ]; then
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
fi
#Create a dedicated path for the api access
if [ -z "$api_path" ]; then
api_path=/api_$path_url
ynh_app_setting_set --app=$app --key=final_path --value=$final_path
# ynh_webpath_register --app=$app --domain=$domain --path_url=$api_path
fi
# Create the permission "domoticz_API" only if it doesn't exist.
if ! ynh_permission_exists --permission="domoticz_API"
then
# This is a fake permission without any URL.
# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
# We can't use a real permission for now because the actual permision system doesn't support regex.
ynh_permission_create --permission="domoticz_API" --allowed="visitors"
# Make API public if necessary
if [ $is_public -eq 0 ]
then
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
fi
# API Authorization wit dedicated URL
ynh_permission_create --permission="domoticz_API" ---url="$domain$api_path" --allowed="visitors"
fi
@ -173,7 +168,7 @@ fi
ynh_script_progression --message="Upgrading nginx web server configuration..." --weight=1
# Create a dedicated nginx config
#ynh_add_nginx_config
ynh_add_nginx_config
#=================================================
# UPGRADE DEPENDENCIES