App user ownership and change composer directory

conf/configuration.yml

@@ -0,0 +1,13 @@
+baseUrl : "https://__DOMAIN__/__PATH__"
+databaseConfiguration :
+    host : "localhost"
+    database : "__USER__"
+    username : "__USER__"
+    password : "__DB_PWD__"
+adminUser :
+    username : "__ADMIN__"
+    password : "__ADMIN_PWD__"
+    password_confirmation : "__ADMIN_PWD__"
+    email : "__ADMIN_EML__"
+settings :
+    forum_title : "__FORUM_TITLE__"

conf/nginx.conf

@@ -6,14 +6,14 @@ location ^~ __PATH__ {
 
     alias __FINALPATH__/;
     try_files $uri $uri/ /index.php?$query_string;
-    index YNH_WWW_ROOTPATH/index.php;
+    index __LOCATION_HACK__/index.php;
 
     # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 )
-    location YNH_WWW_ROOTPATH/ { try_files $uri $uri/ YNH_WWW_ROOTAPP/index.php?$query_string; }
-    location YNH_WWW_ROOTPATH/api { try_files $uri $uri/ YNH_WWW_ROOTAPP/api.php?$query_string; }
-    location YNH_WWW_ROOTPATH/admin { try_files $uri $uri/ YNH_WWW_ROOTAPP/admin.php?$query_string; }
+    location __LOCATION_HACK__/ { try_files $uri $uri/ __PATH_HACK__/index.php?$query_string; }
+    location __LOCATION_HACK__/api { try_files $uri $uri/ __PATH_HACK__/api.php?$query_string; }
+    location __LOCATION_HACK__/admin { try_files $uri $uri/ __PATH_HACK__/admin.php?$query_string; }
 
-    location YNH_WWW_ROOTPATH/flarum {
+    location __LOCATION_HACK__/flarum {
         deny all;
         return 404;
     }

conf/php-fpm.conf

@@ -43,14 +43,14 @@ listen = /var/run/php5-fpm-__USER__.sock
 ; BSD-derived systems allow connections regardless of permissions.
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0666
-listen.owner = www-data
+listen.owner = __USER__
 listen.group = www-data
-listen.mode = 0600
+listen.mode = 0660
 
 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
-user = www-data
+user = __USER__
 group = www-data
 
 ; Choose how the process manager will control the number of child processes.
@@ -249,4 +249,4 @@ php_value[max_input_time] = 600
 ;php_value[memory_limit] = 256M
 ;php_value[short_open_tag] = On
 
-env[COMPOSER_HOME]= /opt/__USER___composer'
+env[COMPOSER_HOME]= "__FINALPATH__/.composer"

scripts/_common.sh

@@ -4,13 +4,49 @@ exec_as() {
 	local USER=$1
 	shift 1
 
-  if [[ $USER = $(whoami) ]]; then
-    eval "$@"
+	if [[ $USER = $(whoami) ]]
+	then
+		eval $@
 	else
-    sudo -u "$USER" "$@"
+		sudo -u "$USER" $@
 	fi
 }
 
+# Execute a composer command from a given directory
+# usage: composer_exec AS_USER WORKDIR COMMAND [ARG ...]
+exec_composer() {
+	local AS_USER=$1
+	local WORKDIR=$2
+	shift 2
+
+  # Do not run composer as root
+  if [ $AS_USER = "root" ] ; then ynh_die "Do not run composer as root" ; fi
+
+	exec_as "$AS_USER" COMPOSER_HOME="${WORKDIR}/.composer" \
+		php "${WORKDIR}/composer.phar" $@ \
+		-d "${WORKDIR}" -d memory_limit=-1 --quiet --no-interaction
+}
+
+# Install and initialize Composer in the given directory
+# usage: init_composer destdir
+init_composer() {
+	local AS_USER=$1
+	local WORKDIR=$2
+
+  # Do not install composer as root
+  if [ $AS_USER = "root" ] ; then ynh_die "Do not install composer as root" ; fi
+
+	# install composer
+	curl -sS https://getcomposer.org/installer \
+		| COMPOSER_HOME="${WORKDIR}/.composer" \
+		php -- --quiet --install-dir="$WORKDIR" \
+		|| ynh_die "Unable to install Composer"
+
+	# update dependencies to create composer.lock
+	#exec_composer "$AS_USER" "$WORKDIR" install --no-dev \
+	#	|| ynh_die "Unable to update core dependencies with Composer"
+}
+
 # Send an email to inform the administrator
 #
 # usage: ynh_send_readme_to_admin app_message [recipients]

scripts/install

@@ -72,43 +72,18 @@ ynh_app_setting_set $app final_path $final_path
 # CREATE DEDICATED USER
 #===================================================
 
-ynh_system_user_create $app "$final_path"
+ynh_system_user_create $app $final_path
 sudo usermod -a -G www-data $app
+# Create working directory
+sudo mkdir -p "$final_path/.composer"
+sudo chown -R $app:www-data $final_path
+sudo chmod -R 0775 $final_path
 
 #=================================================
 # COMPOSER INSTALLATION
 #=================================================
 
-composer_path=/opt/${app}_composer
-# Test if composer is installed
-if ! type "${composer_path}/composer" > /dev/null; then
-
-  # Prepare composer directories
-  sudo mkdir -p $composer_path
-  sudo mkdir -p $composer_path/cache
-  sudo chown -R $app:www-data $composer_path
-  sudo chmod -R 0775 $composer_path
-
-  # Install composer (https://getcomposer.org)
-  EXPECTED_SIGNATURE=$(wget https://composer.github.io/installer.sig -O - -q)
-  php -r "copy('https://getcomposer.org/installer', '$composer_path/composer-setup.php');"
-  ACTUAL_SIGNATURE=$(php -r "echo hash_file('SHA384', '$composer_path/composer-setup.php');")
-  if [ "$EXPECTED_SIGNATURE" = "$ACTUAL_SIGNATURE" ]
-  then
-    sudo su - $app -s /bin/bash -c "php $composer_path/composer-setup.php --install-dir=$composer_path --filename=composer --quiet"
-    RESULT=$?
-  else
-    >&2 echo 'ERROR: Invalid Composer installer signature'
-    RESULT=1
-  fi
-  if [ $RESULT != 0 ]
-  then
-    ynh_die 'Composer could not be installed'
-  fi
-
-fi
-
-COMPOSER_HOME=$composer_path
+init_composer $app $final_path
 
 #=================================================
 # FLARUM INSTALLATION
@@ -121,12 +96,13 @@ sudo chown -R $app:www-data $tmp
 sudo chmod -R 0775 $tmp
 
 # Install Flarum
-sudo su - $app -s /bin/bash -c "php -d memory_limit=-1 $composer_path/composer create-project flarum/flarum $tmp $flarum_version --stability=beta --ansi"
+exec_composer $app $final_path "create-project flarum/flarum $tmp $flarum_version --stability=beta --ansi"
 
+# Copy Flarum to working directory and clean temp directory
 sudo cp -Rf $tmp/* $final_path
 sudo chown -R $app:www-data $final_path
-sudo chmod 0775 -R $final_path
-ynh_secure_remove "$tmp"
+sudo chmod -R 0775 $final_path
+ynh_secure_remove $tmp
 
 #=================================================
 # CREATE A MYSQL DATABASE
@@ -143,11 +119,11 @@ ynh_app_setting_set "$app" db_pwd "$db_pwd"
 
 # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 )
 if [ $path_url = "/" ]; then
-  sed -i "s@YNH_WWW_ROOTPATH@@g" ../conf/nginx.conf
-  sed -i "s@YNH_WWW_ROOTAPP@/@g" ../conf/nginx.conf
+  sed -i "s@__LOCATION_HACK__@@g" ../conf/nginx.conf
+  sed -i "s@__PATH_HACK__@/@g" ../conf/nginx.conf
 else
-  sed -i "s@YNH_WWW_ROOTPATH@$path_url@g" ../conf/nginx.conf
-  sed -i "s@YNH_WWW_ROOTAPP@$path_url$path_url@g" ../conf/nginx.conf
+  sed -i "s@__LOCATION_HACK__@$path_url@g" ../conf/nginx.conf
+  sed -i "s@__PATH_HACK__@$path_url$path_url@g" ../conf/nginx.conf
 fi
 # Create a dedicated nginx config
 ynh_add_nginx_config
@@ -191,27 +167,31 @@ systemctl reload nginx
 # FLARUM POST-INSTALL
 #=================================================
 
-# Only if admin user or title were specified
 if [[ -n $admin && -n $title ]]; then
+  # If admin user and title were specified, start post-installation
+  # Copy the configuration.yml to working directory
   finalflarumconf="$final_path/configuration.yml"
-  cp ../sources/configuration.yml $finalflarumconf
+  cp ../conf/configuration.yml $finalflarumconf
+  # Generate admin password and retrieve their email address
   admin_pwd=$(ynh_string_random 8)
-  sed -i "s@YNH_APP_DOMAIN@$domain@g" $finalflarumconf
-  sed -i "s@/YNH_WWW_PATH@$path_url@g" $finalflarumconf
-  sed -i "s@YNH_WWW_APP@$app@g" $finalflarumconf
-  sed -i "s@YNH_DB_PASS@$db_pwd@g" $finalflarumconf
-  sed -i "s@YNH_ADMIN_USER@$admin@g" $finalflarumconf
-  sed -i "s@YNH_ADMIN_PASS@$admin_pwd@g" $finalflarumconf
   admin_mail=$(ynh_user_get_info $admin mail)
-  sed -i "s%YNH_ADMIN_EMAIL%$admin_mail%g" $finalflarumconf
-  sed -i "s@YNH_FORUM_TITLE@$title@g" $finalflarumconf
-  cd "$final_path"
-  exec_as www-data \
-    php -d memory_limit=-1 flarum install -f configuration.yml
+  # Populate configuration.yml
+  sed -i "s@__DOMAIN__@$domain@g" $finalflarumconf
+  sed -i "s@/__PATH__@$path_url@g" $finalflarumconf
+  sed -i "s@__USER__@$app@g" $finalflarumconf
+  sed -i "s@__DB_PWD__@$db_pwd@g" $finalflarumconf
+  sed -i "s@__ADMIN__@$admin@g" $finalflarumconf
+  sed -i "s@__ADMIN_PWD__@$admin_pwd@g" $finalflarumconf
+  sed -i "s%__ADMIN_EML__%$admin_mail%g" $finalflarumconf
+  sed -i "s@__FORUM_TITLE__@$title@g" $finalflarumconf
+  # Execute post-installation
+  cd $final_path
+  exec_as $app "php -d memory_limit=-1 flarum install -f configuration.yml"
+  # Delete configuration.yml as it sensitive data
   ynh_secure_remove $finalflarumconf
 
   # Install the SSOwat auth extension
-  sudo su - www-data -s /bin/bash -c "cd $final_path && $composer_path/composer require 'tituspijean/flarum-ext-auth-ssowat:*@dev' --ansi"
+  exec_composer $app $final_path "require tituspijean/flarum-ext-auth-ssowat:*@dev --ansi"
 
   # Configure SSOwat auth extension
   ssowatdomain=$(</etc/yunohost/current_host)
@@ -219,19 +199,23 @@ if [[ -n $admin && -n $title ]]; then
   ynh_mysql_execute_as_root "$sql_command" $db_name
 
   # Enable SSOwat auth extension
+  # Retrieve current enabled extensions
   sql_command="SELECT \`value\` FROM settings WHERE \`key\` = 'extensions_enabled'"
   old_extensions_enabled=$(ynh_mysql_execute_as_root "$sql_command" $db_name | tail -1)
+  # Append the extension name at the end of the list
   addition=",\"tituspijean-auth-ssowat\"]"
   new_extensions_enabled=${old_extensions_enabled::-1}$addition
   sql_command="UPDATE \`settings\` SET \`value\`='$new_extensions_enabled' WHERE \`key\`='extensions_enabled';"
   ynh_mysql_execute_as_root "$sql_command" $db_name
 
+  # Send login credentials to admin
   app_message="User : $admin, password : $admin_pwd
   Change your password!
   Your forum is accessible at https://$domain$path_url"
   >&2 echo $app_message
   ynh_send_readme_to_admin "$app_message" "$admin"
 else
+  # If admin user and title were not specified, ask admin to perform manual post-installation
   app_message="Post-installation required, visit your Flarum instance."
   >&2 echo $app_message
   ynh_send_readme_to_admin "$app_message" "$admin"

scripts/remove

@@ -34,7 +34,6 @@ ynh_mysql_remove_db $db_user $db_name
 # Remove the app directory securely
 ynh_secure_remove "$final_path"
 ynh_secure_remove "/tmp/$app"
-ynh_secure_remove "/opt/${app}_composer"
 
 #=================================================
 # REMOVE NGINX CONFIGURATION
@@ -65,4 +64,3 @@ ynh_remove_logrotate
 
 # Delete a system user
 ynh_system_user_delete $app
-

sources/configuration.yml

@@ -1,13 +0,0 @@
-baseUrl : "https://YNH_APP_DOMAIN/YNH_WWW_PATH"
-databaseConfiguration :
-    host : "localhost"
-    database : "YNH_WWW_APP"
-    username : "YNH_WWW_APP"
-    password : "YNH_DB_PASS"
-adminUser : 
-    username : "YNH_ADMIN_USER"
-    password : "YNH_ADMIN_PASS"
-    password_confirmation : "YNH_ADMIN_PASS"
-    email : "YNH_ADMIN_EMAIL"
-settings : 
-    forum_title : "YNH_FORUM_TITLE"