diff --git a/conf/nginx.conf b/conf/nginx.conf index 7414aa6..35e457e 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -3,15 +3,15 @@ location __PATH__/ { # Path to source #alias __FINALPATH__/ ; - proxy_http_version 1.1; - proxy_read_timeout 90; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded_Proto $scheme; - proxy_set_header X-Scheme $scheme; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - more_set_headers "X-Frame-Options: SAMEORIGIN"; + proxy_http_version 1.1; + proxy_read_timeout 90; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded_Proto $scheme; + proxy_set_header X-Scheme $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + more_set_headers "X-Frame-Options: SAMEORIGIN"; proxy_pass http://localhost:__PORT__/; proxy_set_header Host $host; #proxy_buffering off; diff --git a/hooks/post_app_addaccess b/hooks/post_app_addaccess new file mode 100644 index 0000000..90e83ed --- /dev/null +++ b/hooks/post_app_addaccess @@ -0,0 +1,30 @@ +#!/bin/bash + +# Source app helpers +source /usr/share/yunohost/helpers + +app=$1 +added_users=$2 +permission=$3 +added_groups=$4 + +if [ "$app" == __APP__ ]; then + if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. + if [ "$added_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. + domain=$(ynh_app_setting_get --app=$app --key=domain) + path_url=$(ynh_app_setting_get --app=$app --key=path) + + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi + # Modify the domain to be used in a regex + domain_regex=$(echo "$domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" + + yunohost app ssowatconf + else + ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." + fi + fi +fi \ No newline at end of file diff --git a/hooks/post_app_removeaccess b/hooks/post_app_removeaccess new file mode 100644 index 0000000..127472c --- /dev/null +++ b/hooks/post_app_removeaccess @@ -0,0 +1,23 @@ +#!/bin/bash + +# Source app helpers +source /usr/share/yunohost/helpers + +app=$1 +removed_users=$2 +permission=$3 +removed_groups=$4 + +if [ "$app" == __APP__ ]; then + if [ "$permission" = "domoticz_API" ]; then # The fake permission "Domoticz API/JSON URL" is modifed. + if [ "$removed_groups" = "visitors" ]; then # As is it a fake permission we can only grant/remove the "visitors" group. + + # We remove the regex, no more protection is needed. + ynh_app_setting_delete --app=$app --key=unprotected_regex + + yunohost app ssowatconf + else + ynh_print_warn --message="This app doesn't support this authorisation, you can only add or remove visitors group." + fi + fi +fi \ No newline at end of file diff --git a/manifest.json b/manifest.json index 71d10f2..f461f3b 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Very light weight open sources home automation system that lets you monitor and configure miscellaneous devices", "fr": "Logiciel open sources et gratuit de domotique qui vous permet de configurer un grand nombre d'appareils" }, - "version": "2020.2~ynh1", + "version": "2020.2~ynh2", "url": "https://www.domoticz.com", "license": "GPL-3.0-or-later", "maintainer": { diff --git a/scripts/change_url b/scripts/change_url index 117a84a..45dd39f 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -25,7 +25,7 @@ app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." --time --weight=1 +ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) @@ -35,7 +35,7 @@ port=$(ynh_app_setting_get --app=$app --key=port) #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --time --weight=1 +ynh_script_progression --message="Backing up the app before changing its url (may take a while)..." --weight=5 # Backup the current version of the app ynh_backup_before_upgrade @@ -70,14 +70,14 @@ fi #================================================= # STOP SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Stopping a systemd service..." --time --weight=1 +ynh_script_progression --message="Stopping a systemd service..." --weight=2 ynh_systemd_action --service_name=$app --action="stop" --log_path="/var/log/$app/$app.log" #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating nginx web server configuration..." --time --weight=1 +ynh_script_progression --message="Updating nginx web server configuration..." --weight=1 nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf @@ -111,17 +111,36 @@ fi #================================================= # GENERIC FINALISATION +#================================================= +# SETUP SSOWAT +#================================================= +ynh_script_progression --message="Upgrading SSOwat configuration..." --weight=1 + +# If the app is private, API should stays publicly accessible. +if [ $is_public -eq 0 ] +then + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi + # Modify the domain to be used in a regex + domain_regex=$(echo "$new_domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" +fi + + #================================================= # START SYSTEMD SERVICE #================================================= -ynh_script_progression --message="Starting a systemd service..." --time --weight=1 + +ynh_script_progression --message="Starting a systemd service..." --weight=2 ynh_systemd_action --service_name=$app --action="start" #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." --time --weight=1 +ynh_script_progression --message="Reloading nginx web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload @@ -129,4 +148,4 @@ ynh_systemd_action --service_name=nginx --action=reload # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --time --last +ynh_script_progression --message="Change of URL completed for $app"--last diff --git a/scripts/install b/scripts/install index 8598b32..056451c 100755 --- a/scripts/install +++ b/scripts/install @@ -64,7 +64,7 @@ ynh_app_setting_set --app=$app --key=mach --value=$MACH port=$(ynh_find_port --port=8080) ynh_app_setting_set --app=$app --key=port --value=$port #Standard yunohost does not change __PORT__ in systemd.service -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" +#ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" #================================================= # INSTALL DEPENDENCIES @@ -128,16 +128,26 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app +#================================================= +# SETUP HOOKS FILE +#================================================= + +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess" +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess" + + #================================================= # SETUP SYSTEMD #================================================= ynh_script_progression --message="Configuring a systemd service..." --weight=1 # Create a dedicated systemd config -ynh_add_systemd_config +ynh_add_systemd_config --others_var="port" #ynh_store_file_checksum --file="$final_path/CONFIG_FILE" + + #================================================= # GENERIC FINALIZATION #================================================= @@ -183,12 +193,24 @@ ynh_systemd_action --service_name=$app --action="start" ynh_script_progression --message="Configuring SSOwat..." --weight=1 # Make app public if necessary -if [ $is_public -eq 1 ] -then - # unprotected_uris allows SSO credentials to be passed anyway. +if [ $is_public -eq 1 ]; then ynh_permission_update --permission "main" --add visitors +else + # If the app is private, API should stays publicly accessible. + # This is a fake permission without any URL. + # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. + # We can't use a real permission for now because the actual permision system doesn't support regex. + ynh_permission_create --permission="domoticz_API" --allowed="visitors" + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi +# # Modify the domain to be used in a regex + domain_regex=$(echo "$domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" fi + #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 17858a2..580d6e2 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -75,6 +75,28 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi +# Create the permission "domoticz_API" only if it doesn't exist. +if ! ynh_permission_exists --permission="domoticz_API" +then + # This is a fake permission without any URL. + # The purpose of this permission is only to trigger hooks post_app_add/removeaccess when it's modified. + # We can't use a real permission for now because the actual permision system doesn't support regex. + ynh_permission_create --permission="domoticz_API" --allowed="visitors" + + # Make API public if necessary + if [ $is_public -eq 0 ] + then + if [ "$path_url" == "/" ]; then + # If the path is /, clear it to prevent any error with the regex. + path_url="" + fi + # Modify the domain to be used in a regex + domain_regex=$(echo "$domain" | sed 's@-@.@g') + ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/json.htm.*$" + fi +fi + + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -183,14 +205,21 @@ chmod 440 /etc/sudoers.d/$app mkdir -p /var/log/$app chown -R domoticz: /var/log/$app +#================================================= +# SETUP HOOKS FILE +#================================================= + +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_addaccess" +ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="../hooks/post_app_removeaccess" + + #================================================= # SETUP SYSTEMD #================================================= ynh_script_progression --message="Upgrading systemd configuration..." --weight=1 -#Standard yunohost does not change __PORT__ in systemd.service -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="../conf/systemd.service" + # Create a dedicated systemd config -ynh_add_systemd_config +ynh_add_systemd_config --others_var="port" #================================================= # MODIFY A CONFIG FILE