New Permission system - Domoticz API

conf/nginx.conf

@@ -3,15 +3,15 @@ location __PATH__/ {
 
   # Path to source
   #alias __FINALPATH__/ ;
-  proxy_http_version            1.1;
-  proxy_read_timeout            90;
-  proxy_set_header        X-Real-IP $remote_addr;
-  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header        X-Forwarded_Proto $scheme;
-  proxy_set_header              X-Scheme $scheme;
-  proxy_set_header              Upgrade $http_upgrade;
-  proxy_set_header              Connection $connection_upgrade;
-  more_set_headers                            "X-Frame-Options: SAMEORIGIN";
+  proxy_http_version 1.1;
+  proxy_read_timeout 90;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded_Proto $scheme;
+  proxy_set_header X-Scheme $scheme;
+  proxy_set_header Upgrade $http_upgrade;
+  proxy_set_header Connection $connection_upgrade;
+  more_set_headers "X-Frame-Options: SAMEORIGIN";
   proxy_pass http://localhost:__PORT__/;
   proxy_set_header Host $host;
   #proxy_buffering off;

hooks/post_app_addaccess

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# Source app helpers
+source /usr/share/yunohost/helpers
+
+app=$1
+added_users=$2
+permission=$3
+added_groups=$4
+
+if [ "$app" == __APP__ ]; then
+    if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed.
+        if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
+            domain=$(ynh_app_setting_get --app=$app --key=domain)
+            path_url=$(ynh_app_setting_get --app=$app --key=path)
+
+            if [ "$path_url" == "/" ]; then
+                # If the path is /, clear it to prevent any error with the regex.
+                path_url=""
+            fi
+            # Modify the domain to be used in a regex
+            domain_regex=$(echo "$domain" | sed 's@-@.@g')
+            ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
+
+            yunohost app ssowatconf
+        else
+            ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
+        fi
+    fi
+fi

hooks/post_app_removeaccess

@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# Source app helpers
+source /usr/share/yunohost/helpers
+
+app=$1
+removed_users=$2
+permission=$3
+removed_groups=$4
+
+if [ "$app" == __APP__ ]; then
+    if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed.
+        if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group.
+
+            # We remove the regex, no more protection is needed.
+            ynh_app_setting_delete --app=$app --key=unprotected_regex
+
+            yunohost app ssowatconf
+        else
+            ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group."
+        fi
+    fi
+fi

manifest.json

@@ -6,7 +6,7 @@
         "en": "Very light weight open sources home automation system that lets you monitor and configure miscellaneous devices",
         "fr": "Logiciel open sources et gratuit de domotique qui vous permet de configurer un grand nombre d'appareils"
     },
-    "version": "2020.2~ynh1",
+    "version": "2020.2~ynh2",
     "url": "https://www.domoticz.com",
     "license": "GPL-3.0-or-later",
     "maintainer": {

scripts/change_url

@@ -25,7 +25,7 @@ app=$YNH_APP_INSTANCE_NAME
 #=================================================
 # LOAD SETTINGS
 #=================================================
-ynh_script_progression --message="Loading installation settings..." --time --weight=1
+ynh_script_progression --message="Loading installation settings..." --weight=1
 
 # Needed for helper "ynh_add_nginx_config"
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
@@ -35,7 +35,7 @@ port=$(ynh_app_setting_get --app=$app --key=port)
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
-ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --time --weight=1
+ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --weight=5
 
 # Backup the current version of the app
 ynh_backup_before_upgrade
@@ -70,14 +70,14 @@ fi
 #=================================================
 # STOP SYSTEMD SERVICE
 #=================================================
-ynh_script_progression --message="Stopping a systemd service..." --time --weight=1
+ynh_script_progression --message="Stopping a systemd service..." --weight=2
 
 ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log"
 
 #=================================================
 # MODIFY URL IN NGINX CONF
 #=================================================
-ynh_script_progression --message="Updating nginx web server configuration..." --time --weight=1
+ynh_script_progression --message="Updating nginx web server configuration..." --weight=1
 
 nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf
 
@@ -111,17 +111,36 @@ fi
 
 #=================================================
 # GENERIC FINALISATION
+#=================================================
+# SETUP SSOWAT
+#=================================================
+ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1
+
+# If the app is private, API should stays publicly accessible.
+if [ $is_public -eq 0 ]
+then
+	if [ "$path_url" == "/" ]; then
+	    # If the path is /, clear it to prevent any error with the regex.
+	    path_url=""
+	fi
+	# Modify the domain to be used in a regex
+	domain_regex=$(echo "$new_domain" | sed 's@-@.@g')
+	ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
+fi
+
+
 #=================================================
 # START SYSTEMD SERVICE
 #=================================================
-ynh_script_progression --message="Starting a systemd service..." --time --weight=1
+
+ynh_script_progression --message="Starting a systemd service..." --weight=2
 
 ynh_systemd_action --service_name=$app --action="start"
 
 #=================================================
 # RELOAD NGINX
 #=================================================
-ynh_script_progression --message="Reloading nginx web server..." --time --weight=1
+ynh_script_progression --message="Reloading nginx web server..." --weight=1
 
 ynh_systemd_action --service_name=nginx --action=reload
 
@@ -129,4 +148,4 @@ ynh_systemd_action --service_name=nginx --action=reload
 # END OF SCRIPT
 #=================================================
 
-ynh_script_progression --message="Change of URL completed for $app" --time --last
+ynh_script_progression --message="Change of URL completed for $app"--last

scripts/install

@@ -64,7 +64,7 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH
 port=$(ynh_find_port --port=8080)
 ynh_app_setting_set --app=$app --key=port --value=$port
 #Standard yunohost does not change __PORT__ in systemd.service
-ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service"
+#ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service"
 
 #=================================================
 # INSTALL DEPENDENCIES
@@ -128,16 +128,26 @@ chmod 440 /etc/sudoers.d/$app
 mkdir -p /var/log/$app
 chown -R domoticz: /var/log/$app
 
+#=================================================
+# SETUP HOOKS FILE
+#=================================================
+
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
+
+
 #=================================================
 # SETUP SYSTEMD
 #=================================================
 ynh_script_progression --message="Configuring a systemd service..." --weight=1
 
 # Create a dedicated systemd config
-ynh_add_systemd_config
+ynh_add_systemd_config --others_var="port"
 
 #ynh_store_file_checksum --file="$final_path/CONFIG_FILE"
 
+
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
@@ -183,12 +193,24 @@ ynh_systemd_action --service_name=$app --action="start"
 ynh_script_progression --message="Configuring SSOwat..." --weight=1
 
 # Make app public if necessary
-if [ $is_public -eq 1 ]
-then
-	# unprotected_uris allows SSO credentials to be passed anyway.
+if [ $is_public -eq 1 ]; then
 	ynh_permission_update --permission "main" --add visitors
+else
+	# If the app is private, API should stays publicly accessible.
+	# This is a fake permission without any URL.
+	# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
+	# We can't use a real permission for now because the actual permision system doesn't support regex.
+	ynh_permission_create --permission="domoticz_API" --allowed="visitors"	
+	if [ "$path_url" == "/" ]; then
+		# If the path is /, clear it to prevent any error with the regex.
+		path_url=""
+	fi
+#	# Modify the domain to be used in a regex
+	domain_regex=$(echo "$domain" | sed 's@-@.@g')
+	ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
 fi
 
+
 #=================================================
 # RELOAD NGINX
 #=================================================

scripts/upgrade

@@ -75,6 +75,28 @@ if [ -z "$final_path" ]; then
 	ynh_app_setting_set --app=$app --key=final_path --value=$final_path
 fi
 
+# Create the permission "domoticz_API" only if it doesn't exist.
+if ! ynh_permission_exists --permission="domoticz_API"
+then
+	# This is a fake permission without any URL.
+	# The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified.
+	# We can't use a real permission for now because the actual permision system doesn't support regex.
+	ynh_permission_create --permission="domoticz_API" --allowed="visitors"
+
+	# Make API public if necessary
+	if [ $is_public -eq 0 ]
+	then
+		if [ "$path_url" == "/" ]; then
+			# If the path is /, clear it to prevent any error with the regex.
+			path_url=""
+		fi
+		# Modify the domain to be used in a regex
+		domain_regex=$(echo "$domain" | sed 's@-@.@g')
+		ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$"
+	fi
+fi
+
+
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
@@ -183,14 +205,21 @@ chmod 440 /etc/sudoers.d/$app
 mkdir -p /var/log/$app
 chown -R domoticz: /var/log/$app
 
+#=================================================
+# SETUP HOOKS FILE
+#=================================================
+
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess"
+ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess"
+
+
 #=================================================
 # SETUP SYSTEMD
 #=================================================
 ynh_script_progression --message="Upgrading systemd configuration..." --weight=1
-#Standard yunohost does not change __PORT__ in systemd.service
-ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service"
+
 # Create a dedicated systemd config
-ynh_add_systemd_config
+ynh_add_systemd_config --others_var="port"
 
 #=================================================
 # MODIFY A CONFIG FILE