From 4d8aa27cb04dcd1ac678543d29e04206d4bfb379 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Thu, 15 Feb 2018 18:37:46 +0100 Subject: [PATCH] App user ownership and change composer directory --- conf/configuration.yml | 13 ++++++ conf/nginx.conf | 20 ++++----- conf/php-fpm.conf | 8 ++-- scripts/_common.sh | 50 ++++++++++++++++++---- scripts/install | 88 ++++++++++++++++----------------------- scripts/remove | 2 - sources/configuration.yml | 13 ------ 7 files changed, 106 insertions(+), 88 deletions(-) create mode 100644 conf/configuration.yml delete mode 100644 sources/configuration.yml diff --git a/conf/configuration.yml b/conf/configuration.yml new file mode 100644 index 0000000..6a2432f --- /dev/null +++ b/conf/configuration.yml @@ -0,0 +1,13 @@ +baseUrl : "https://__DOMAIN__/__PATH__" +databaseConfiguration : + host : "localhost" + database : "__USER__" + username : "__USER__" + password : "__DB_PWD__" +adminUser : + username : "__ADMIN__" + password : "__ADMIN_PWD__" + password_confirmation : "__ADMIN_PWD__" + email : "__ADMIN_EML__" +settings : + forum_title : "__FORUM_TITLE__" diff --git a/conf/nginx.conf b/conf/nginx.conf index 50212a4..9930daf 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,19 +1,19 @@ location ^~ __PATH__ { - + if ($scheme = http) { rewrite ^ https://$server_name$request_uri? permanent; } - + alias __FINALPATH__/; try_files $uri $uri/ /index.php?$query_string; - index YNH_WWW_ROOTPATH/index.php; - - # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 ) - location YNH_WWW_ROOTPATH/ { try_files $uri $uri/ YNH_WWW_ROOTAPP/index.php?$query_string; } - location YNH_WWW_ROOTPATH/api { try_files $uri $uri/ YNH_WWW_ROOTAPP/api.php?$query_string; } - location YNH_WWW_ROOTPATH/admin { try_files $uri $uri/ YNH_WWW_ROOTAPP/admin.php?$query_string; } + index __LOCATION_HACK__/index.php; - location YNH_WWW_ROOTPATH/flarum { + # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 ) + location __LOCATION_HACK__/ { try_files $uri $uri/ __PATH_HACK__/index.php?$query_string; } + location __LOCATION_HACK__/api { try_files $uri $uri/ __PATH_HACK__/api.php?$query_string; } + location __LOCATION_HACK__/admin { try_files $uri $uri/ __PATH_HACK__/admin.php?$query_string; } + + location __LOCATION_HACK__/flarum { deny all; return 404; } @@ -27,7 +27,7 @@ location ^~ __PATH__ { fastcgi_index index.php; fastcgi_read_timeout 600; } - + location ~* \.html$ { expires -1; } diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index eb22ecc..7bdad38 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -43,14 +43,14 @@ listen = /var/run/php5-fpm-__USER__.sock ; BSD-derived systems allow connections regardless of permissions. ; Default Values: user and group are set as the running user ; mode is set to 0666 -listen.owner = www-data +listen.owner = __USER__ listen.group = www-data -listen.mode = 0600 +listen.mode = 0660 ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. -user = www-data +user = __USER__ group = www-data ; Choose how the process manager will control the number of child processes. @@ -249,4 +249,4 @@ php_value[max_input_time] = 600 ;php_value[memory_limit] = 256M ;php_value[short_open_tag] = On -env[COMPOSER_HOME]= /opt/__USER___composer' +env[COMPOSER_HOME]= "__FINALPATH__/.composer" diff --git a/scripts/_common.sh b/scripts/_common.sh index f109514..cd38698 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -1,14 +1,50 @@ # Execute a command as another user # usage: exec_as USER COMMAND [ARG ...] exec_as() { - local USER=$1 - shift 1 + local USER=$1 + shift 1 - if [[ $USER = $(whoami) ]]; then - eval "$@" - else - sudo -u "$USER" "$@" - fi + if [[ $USER = $(whoami) ]] + then + eval $@ + else + sudo -u "$USER" $@ + fi +} + +# Execute a composer command from a given directory +# usage: composer_exec AS_USER WORKDIR COMMAND [ARG ...] +exec_composer() { + local AS_USER=$1 + local WORKDIR=$2 + shift 2 + + # Do not run composer as root + if [ $AS_USER = "root" ] ; then ynh_die "Do not run composer as root" ; fi + + exec_as "$AS_USER" COMPOSER_HOME="${WORKDIR}/.composer" \ + php "${WORKDIR}/composer.phar" $@ \ + -d "${WORKDIR}" -d memory_limit=-1 --quiet --no-interaction +} + +# Install and initialize Composer in the given directory +# usage: init_composer destdir +init_composer() { + local AS_USER=$1 + local WORKDIR=$2 + + # Do not install composer as root + if [ $AS_USER = "root" ] ; then ynh_die "Do not install composer as root" ; fi + + # install composer + curl -sS https://getcomposer.org/installer \ + | COMPOSER_HOME="${WORKDIR}/.composer" \ + php -- --quiet --install-dir="$WORKDIR" \ + || ynh_die "Unable to install Composer" + + # update dependencies to create composer.lock + #exec_composer "$AS_USER" "$WORKDIR" install --no-dev \ + # || ynh_die "Unable to update core dependencies with Composer" } # Send an email to inform the administrator diff --git a/scripts/install b/scripts/install index d2fe12d..250f9f7 100644 --- a/scripts/install +++ b/scripts/install @@ -72,43 +72,18 @@ ynh_app_setting_set $app final_path $final_path # CREATE DEDICATED USER #=================================================== -ynh_system_user_create $app "$final_path" +ynh_system_user_create $app $final_path sudo usermod -a -G www-data $app +# Create working directory +sudo mkdir -p "$final_path/.composer" +sudo chown -R $app:www-data $final_path +sudo chmod -R 0775 $final_path #================================================= # COMPOSER INSTALLATION #================================================= -composer_path=/opt/${app}_composer -# Test if composer is installed -if ! type "${composer_path}/composer" > /dev/null; then - - # Prepare composer directories - sudo mkdir -p $composer_path - sudo mkdir -p $composer_path/cache - sudo chown -R $app:www-data $composer_path - sudo chmod -R 0775 $composer_path - - # Install composer (https://getcomposer.org) - EXPECTED_SIGNATURE=$(wget https://composer.github.io/installer.sig -O - -q) - php -r "copy('https://getcomposer.org/installer', '$composer_path/composer-setup.php');" - ACTUAL_SIGNATURE=$(php -r "echo hash_file('SHA384', '$composer_path/composer-setup.php');") - if [ "$EXPECTED_SIGNATURE" = "$ACTUAL_SIGNATURE" ] - then - sudo su - $app -s /bin/bash -c "php $composer_path/composer-setup.php --install-dir=$composer_path --filename=composer --quiet" - RESULT=$? - else - >&2 echo 'ERROR: Invalid Composer installer signature' - RESULT=1 - fi - if [ $RESULT != 0 ] - then - ynh_die 'Composer could not be installed' - fi - -fi - -COMPOSER_HOME=$composer_path +init_composer $app $final_path #================================================= # FLARUM INSTALLATION @@ -121,12 +96,13 @@ sudo chown -R $app:www-data $tmp sudo chmod -R 0775 $tmp # Install Flarum -sudo su - $app -s /bin/bash -c "php -d memory_limit=-1 $composer_path/composer create-project flarum/flarum $tmp $flarum_version --stability=beta --ansi" +exec_composer $app $final_path "create-project flarum/flarum $tmp $flarum_version --stability=beta --ansi" +# Copy Flarum to working directory and clean temp directory sudo cp -Rf $tmp/* $final_path sudo chown -R $app:www-data $final_path -sudo chmod 0775 -R $final_path -ynh_secure_remove "$tmp" +sudo chmod -R 0775 $final_path +ynh_secure_remove $tmp #================================================= # CREATE A MYSQL DATABASE @@ -143,11 +119,11 @@ ynh_app_setting_set "$app" db_pwd "$db_pwd" # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 ) if [ $path_url = "/" ]; then - sed -i "s@YNH_WWW_ROOTPATH@@g" ../conf/nginx.conf - sed -i "s@YNH_WWW_ROOTAPP@/@g" ../conf/nginx.conf + sed -i "s@__LOCATION_HACK__@@g" ../conf/nginx.conf + sed -i "s@__PATH_HACK__@/@g" ../conf/nginx.conf else - sed -i "s@YNH_WWW_ROOTPATH@$path_url@g" ../conf/nginx.conf - sed -i "s@YNH_WWW_ROOTAPP@$path_url$path_url@g" ../conf/nginx.conf + sed -i "s@__LOCATION_HACK__@$path_url@g" ../conf/nginx.conf + sed -i "s@__PATH_HACK__@$path_url$path_url@g" ../conf/nginx.conf fi # Create a dedicated nginx config ynh_add_nginx_config @@ -191,27 +167,31 @@ systemctl reload nginx # FLARUM POST-INSTALL #================================================= -# Only if admin user or title were specified if [[ -n $admin && -n $title ]]; then + # If admin user and title were specified, start post-installation + # Copy the configuration.yml to working directory finalflarumconf="$final_path/configuration.yml" - cp ../sources/configuration.yml $finalflarumconf + cp ../conf/configuration.yml $finalflarumconf + # Generate admin password and retrieve their email address admin_pwd=$(ynh_string_random 8) - sed -i "s@YNH_APP_DOMAIN@$domain@g" $finalflarumconf - sed -i "s@/YNH_WWW_PATH@$path_url@g" $finalflarumconf - sed -i "s@YNH_WWW_APP@$app@g" $finalflarumconf - sed -i "s@YNH_DB_PASS@$db_pwd@g" $finalflarumconf - sed -i "s@YNH_ADMIN_USER@$admin@g" $finalflarumconf - sed -i "s@YNH_ADMIN_PASS@$admin_pwd@g" $finalflarumconf admin_mail=$(ynh_user_get_info $admin mail) - sed -i "s%YNH_ADMIN_EMAIL%$admin_mail%g" $finalflarumconf - sed -i "s@YNH_FORUM_TITLE@$title@g" $finalflarumconf - cd "$final_path" - exec_as www-data \ - php -d memory_limit=-1 flarum install -f configuration.yml + # Populate configuration.yml + sed -i "s@__DOMAIN__@$domain@g" $finalflarumconf + sed -i "s@/__PATH__@$path_url@g" $finalflarumconf + sed -i "s@__USER__@$app@g" $finalflarumconf + sed -i "s@__DB_PWD__@$db_pwd@g" $finalflarumconf + sed -i "s@__ADMIN__@$admin@g" $finalflarumconf + sed -i "s@__ADMIN_PWD__@$admin_pwd@g" $finalflarumconf + sed -i "s%__ADMIN_EML__%$admin_mail%g" $finalflarumconf + sed -i "s@__FORUM_TITLE__@$title@g" $finalflarumconf + # Execute post-installation + cd $final_path + exec_as $app "php -d memory_limit=-1 flarum install -f configuration.yml" + # Delete configuration.yml as it sensitive data ynh_secure_remove $finalflarumconf # Install the SSOwat auth extension - sudo su - www-data -s /bin/bash -c "cd $final_path && $composer_path/composer require 'tituspijean/flarum-ext-auth-ssowat:*@dev' --ansi" + exec_composer $app $final_path "require tituspijean/flarum-ext-auth-ssowat:*@dev --ansi" # Configure SSOwat auth extension ssowatdomain=$(&2 echo $app_message ynh_send_readme_to_admin "$app_message" "$admin" else + # If admin user and title were not specified, ask admin to perform manual post-installation app_message="Post-installation required, visit your Flarum instance." >&2 echo $app_message ynh_send_readme_to_admin "$app_message" "$admin" diff --git a/scripts/remove b/scripts/remove index 32b8caf..62da0f0 100644 --- a/scripts/remove +++ b/scripts/remove @@ -34,7 +34,6 @@ ynh_mysql_remove_db $db_user $db_name # Remove the app directory securely ynh_secure_remove "$final_path" ynh_secure_remove "/tmp/$app" -ynh_secure_remove "/opt/${app}_composer" #================================================= # REMOVE NGINX CONFIGURATION @@ -65,4 +64,3 @@ ynh_remove_logrotate # Delete a system user ynh_system_user_delete $app - diff --git a/sources/configuration.yml b/sources/configuration.yml deleted file mode 100644 index 829ea86..0000000 --- a/sources/configuration.yml +++ /dev/null @@ -1,13 +0,0 @@ -baseUrl : "https://YNH_APP_DOMAIN/YNH_WWW_PATH" -databaseConfiguration : - host : "localhost" - database : "YNH_WWW_APP" - username : "YNH_WWW_APP" - password : "YNH_DB_PASS" -adminUser : - username : "YNH_ADMIN_USER" - password : "YNH_ADMIN_PASS" - password_confirmation : "YNH_ADMIN_PASS" - email : "YNH_ADMIN_EMAIL" -settings : - forum_title : "YNH_FORUM_TITLE"