App user ownership and change composer directory

2024-09-03 18:36:24 +02:00 · 2018-02-15 18:37:46 +01:00 · 2018-02-15 18:37:46 +01:00 · 4d8aa27cb0
commit 4d8aa27cb0
parent 1444cf4166
7 changed files with 106 additions and 88 deletions
--- a/conf/configuration.yml
+++ b/conf/configuration.yml
@ -0,0 +1,13 @@
+baseUrl : "https://__DOMAIN__/__PATH__"
+databaseConfiguration :
+    host : "localhost"
+    database : "__USER__"
+    username : "__USER__"
+    password : "__DB_PWD__"
+adminUser :
+    username : "__ADMIN__"
+    password : "__ADMIN_PWD__"
+    password_confirmation : "__ADMIN_PWD__"
+    email : "__ADMIN_EML__"
+settings :
+    forum_title : "__FORUM_TITLE__"
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -1,19 +1,19 @@
 location ^~ __PATH__ {
-    
+
    if ($scheme = http) {
 		rewrite ^ https://$server_name$request_uri? permanent;
    }
-    
+
    alias __FINALPATH__/;
    try_files $uri $uri/ /index.php?$query_string;
-    index YNH_WWW_ROOTPATH/index.php;
-    
-    # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 )
-    location YNH_WWW_ROOTPATH/ { try_files $uri $uri/ YNH_WWW_ROOTAPP/index.php?$query_string; }
-    location YNH_WWW_ROOTPATH/api { try_files $uri $uri/ YNH_WWW_ROOTAPP/api.php?$query_string; }
-    location YNH_WWW_ROOTPATH/admin { try_files $uri $uri/ YNH_WWW_ROOTAPP/admin.php?$query_string; }
+    index __LOCATION_HACK__/index.php;

-    location YNH_WWW_ROOTPATH/flarum {
+    # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 )
+    location __LOCATION_HACK__/ { try_files $uri $uri/ __PATH_HACK__/index.php?$query_string; }
+    location __LOCATION_HACK__/api { try_files $uri $uri/ __PATH_HACK__/api.php?$query_string; }
+    location __LOCATION_HACK__/admin { try_files $uri $uri/ __PATH_HACK__/admin.php?$query_string; }
+
+    location __LOCATION_HACK__/flarum {
        deny all;
        return 404;
    }
@ -27,7 +27,7 @@ location ^~ __PATH__ {
        fastcgi_index index.php;
        fastcgi_read_timeout 600;
    }
-    
+
    location ~* \.html$ {
        expires -1;
    }
--- a/conf/php-fpm.conf
+++ b/conf/php-fpm.conf
@ -43,14 +43,14 @@ listen = /var/run/php5-fpm-__USER__.sock
 ; BSD-derived systems allow connections regardless of permissions.
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0666
-listen.owner = www-data
+listen.owner = __USER__
 listen.group = www-data
-listen.mode = 0600
+listen.mode = 0660

 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
-user = www-data
+user = __USER__
 group = www-data

 ; Choose how the process manager will control the number of child processes.
@ -249,4 +249,4 @@ php_value[max_input_time] = 600
 ;php_value[memory_limit] = 256M
 ;php_value[short_open_tag] = On

-env[COMPOSER_HOME]= /opt/__USER___composer'
+env[COMPOSER_HOME]= "__FINALPATH__/.composer"
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -1,14 +1,50 @@
 # Execute a command as another user
 # usage: exec_as USER COMMAND [ARG ...]
 exec_as() {
-  local USER=$1
-  shift 1
+	local USER=$1
+	shift 1

-  if [[ $USER = $(whoami) ]]; then
-    eval "$@"
-  else
-    sudo -u "$USER" "$@"
-  fi
+	if [[ $USER = $(whoami) ]]
+	then
+		eval $@
+	else
+		sudo -u "$USER" $@
+	fi
+}
+
+# Execute a composer command from a given directory
+# usage: composer_exec AS_USER WORKDIR COMMAND [ARG ...]
+exec_composer() {
+	local AS_USER=$1
+	local WORKDIR=$2
+	shift 2
+
+  # Do not run composer as root
+  if [ $AS_USER = "root" ] ; then ynh_die "Do not run composer as root" ; fi
+
+	exec_as "$AS_USER" COMPOSER_HOME="${WORKDIR}/.composer" \
+		php "${WORKDIR}/composer.phar" $@ \
+		-d "${WORKDIR}" -d memory_limit=-1 --quiet --no-interaction
+}
+
+# Install and initialize Composer in the given directory
+# usage: init_composer destdir
+init_composer() {
+	local AS_USER=$1
+	local WORKDIR=$2
+
+  # Do not install composer as root
+  if [ $AS_USER = "root" ] ; then ynh_die "Do not install composer as root" ; fi
+
+	# install composer
+	curl -sS https://getcomposer.org/installer \
+		| COMPOSER_HOME="${WORKDIR}/.composer" \
+		php -- --quiet --install-dir="$WORKDIR" \
+		|| ynh_die "Unable to install Composer"
+
+	# update dependencies to create composer.lock
+	#exec_composer "$AS_USER" "$WORKDIR" install --no-dev \
+	#	|| ynh_die "Unable to update core dependencies with Composer"
 }

 # Send an email to inform the administrator
--- a/scripts/install
+++ b/scripts/install
@ -72,43 +72,18 @@ ynh_app_setting_set $app final_path $final_path
 # CREATE DEDICATED USER
 #===================================================

-ynh_system_user_create $app "$final_path"
+ynh_system_user_create $app $final_path
 sudo usermod -a -G www-data $app
+# Create working directory
+sudo mkdir -p "$final_path/.composer"
+sudo chown -R $app:www-data $final_path
+sudo chmod -R 0775 $final_path

 #=================================================
 # COMPOSER INSTALLATION
 #=================================================

-composer_path=/opt/${app}_composer
-# Test if composer is installed
-if ! type "${composer_path}/composer" > /dev/null; then
-
-  # Prepare composer directories
-  sudo mkdir -p $composer_path
-  sudo mkdir -p $composer_path/cache
-  sudo chown -R $app:www-data $composer_path
-  sudo chmod -R 0775 $composer_path
-
-  # Install composer (https://getcomposer.org)
-  EXPECTED_SIGNATURE=$(wget https://composer.github.io/installer.sig -O - -q)
-  php -r "copy('https://getcomposer.org/installer', '$composer_path/composer-setup.php');"
-  ACTUAL_SIGNATURE=$(php -r "echo hash_file('SHA384', '$composer_path/composer-setup.php');")
-  if [ "$EXPECTED_SIGNATURE" = "$ACTUAL_SIGNATURE" ]
-  then
-    sudo su - $app -s /bin/bash -c "php $composer_path/composer-setup.php --install-dir=$composer_path --filename=composer --quiet"
-    RESULT=$?
-  else
-    >&2 echo 'ERROR: Invalid Composer installer signature'
-    RESULT=1
-  fi
-  if [ $RESULT != 0 ]
-  then
-    ynh_die 'Composer could not be installed'
-  fi
-
-fi
-
-COMPOSER_HOME=$composer_path
+init_composer $app $final_path

 #=================================================
 # FLARUM INSTALLATION
@ -121,12 +96,13 @@ sudo chown -R $app:www-data $tmp
 sudo chmod -R 0775 $tmp

 # Install Flarum
-sudo su - $app -s /bin/bash -c "php -d memory_limit=-1 $composer_path/composer create-project flarum/flarum $tmp $flarum_version --stability=beta --ansi"
+exec_composer $app $final_path "create-project flarum/flarum $tmp $flarum_version --stability=beta --ansi"

+# Copy Flarum to working directory and clean temp directory
 sudo cp -Rf $tmp/* $final_path
 sudo chown -R $app:www-data $final_path
-sudo chmod 0775 -R $final_path
-ynh_secure_remove "$tmp"
+sudo chmod -R 0775 $final_path
+ynh_secure_remove $tmp

 #=================================================
 # CREATE A MYSQL DATABASE
@ -143,11 +119,11 @@ ynh_app_setting_set "$app" db_pwd "$db_pwd"

 # Bug in Nginx with locations and aliases (see http://stackoverflow.com/a/35102259 )
 if [ $path_url = "/" ]; then
-  sed -i "s@YNH_WWW_ROOTPATH@@g" ../conf/nginx.conf
-  sed -i "s@YNH_WWW_ROOTAPP@/@g" ../conf/nginx.conf
+  sed -i "s@__LOCATION_HACK__@@g" ../conf/nginx.conf
+  sed -i "s@__PATH_HACK__@/@g" ../conf/nginx.conf
 else
-  sed -i "s@YNH_WWW_ROOTPATH@$path_url@g" ../conf/nginx.conf
-  sed -i "s@YNH_WWW_ROOTAPP@$path_url$path_url@g" ../conf/nginx.conf
+  sed -i "s@__LOCATION_HACK__@$path_url@g" ../conf/nginx.conf
+  sed -i "s@__PATH_HACK__@$path_url$path_url@g" ../conf/nginx.conf
 fi
 # Create a dedicated nginx config
 ynh_add_nginx_config
@ -191,27 +167,31 @@ systemctl reload nginx
 # FLARUM POST-INSTALL
 #=================================================

-# Only if admin user or title were specified
 if [[ -n $admin && -n $title ]]; then
+  # If admin user and title were specified, start post-installation
+  # Copy the configuration.yml to working directory
  finalflarumconf="$final_path/configuration.yml"
-  cp ../sources/configuration.yml $finalflarumconf
+  cp ../conf/configuration.yml $finalflarumconf
+  # Generate admin password and retrieve their email address
  admin_pwd=$(ynh_string_random 8)
-  sed -i "s@YNH_APP_DOMAIN@$domain@g" $finalflarumconf
-  sed -i "s@/YNH_WWW_PATH@$path_url@g" $finalflarumconf
-  sed -i "s@YNH_WWW_APP@$app@g" $finalflarumconf
-  sed -i "s@YNH_DB_PASS@$db_pwd@g" $finalflarumconf
-  sed -i "s@YNH_ADMIN_USER@$admin@g" $finalflarumconf
-  sed -i "s@YNH_ADMIN_PASS@$admin_pwd@g" $finalflarumconf
  admin_mail=$(ynh_user_get_info $admin mail)
-  sed -i "s%YNH_ADMIN_EMAIL%$admin_mail%g" $finalflarumconf
-  sed -i "s@YNH_FORUM_TITLE@$title@g" $finalflarumconf
-  cd "$final_path"
-  exec_as www-data \
-    php -d memory_limit=-1 flarum install -f configuration.yml
+  # Populate configuration.yml
+  sed -i "s@__DOMAIN__@$domain@g" $finalflarumconf
+  sed -i "s@/__PATH__@$path_url@g" $finalflarumconf
+  sed -i "s@__USER__@$app@g" $finalflarumconf
+  sed -i "s@__DB_PWD__@$db_pwd@g" $finalflarumconf
+  sed -i "s@__ADMIN__@$admin@g" $finalflarumconf
+  sed -i "s@__ADMIN_PWD__@$admin_pwd@g" $finalflarumconf
+  sed -i "s%__ADMIN_EML__%$admin_mail%g" $finalflarumconf
+  sed -i "s@__FORUM_TITLE__@$title@g" $finalflarumconf
+  # Execute post-installation
+  cd $final_path
+  exec_as $app "php -d memory_limit=-1 flarum install -f configuration.yml"
+  # Delete configuration.yml as it sensitive data
  ynh_secure_remove $finalflarumconf

  # Install the SSOwat auth extension
-  sudo su - www-data -s /bin/bash -c "cd $final_path && $composer_path/composer require 'tituspijean/flarum-ext-auth-ssowat:*@dev' --ansi"
+  exec_composer $app $final_path "require tituspijean/flarum-ext-auth-ssowat:*@dev --ansi"

  # Configure SSOwat auth extension
  ssowatdomain=$(</etc/yunohost/current_host)
@ -219,19 +199,23 @@ if [[ -n $admin && -n $title ]]; then
  ynh_mysql_execute_as_root "$sql_command" $db_name

  # Enable SSOwat auth extension
+  # Retrieve current enabled extensions
  sql_command="SELECT \`value\` FROM settings WHERE \`key\` = 'extensions_enabled'"
  old_extensions_enabled=$(ynh_mysql_execute_as_root "$sql_command" $db_name | tail -1)
+  # Append the extension name at the end of the list
  addition=",\"tituspijean-auth-ssowat\"]"
  new_extensions_enabled=${old_extensions_enabled::-1}$addition
  sql_command="UPDATE \`settings\` SET \`value\`='$new_extensions_enabled' WHERE \`key\`='extensions_enabled';"
  ynh_mysql_execute_as_root "$sql_command" $db_name

+  # Send login credentials to admin
  app_message="User : $admin, password : $admin_pwd
  Change your password!
  Your forum is accessible at https://$domain$path_url"
  >&2 echo $app_message
  ynh_send_readme_to_admin "$app_message" "$admin"
 else
+  # If admin user and title were not specified, ask admin to perform manual post-installation
  app_message="Post-installation required, visit your Flarum instance."
  >&2 echo $app_message
  ynh_send_readme_to_admin "$app_message" "$admin"
--- a/scripts/remove
+++ b/scripts/remove
@ -34,7 +34,6 @@ ynh_mysql_remove_db $db_user $db_name
 # Remove the app directory securely
 ynh_secure_remove "$final_path"
 ynh_secure_remove "/tmp/$app"
-ynh_secure_remove "/opt/${app}_composer"

 #=================================================
 # REMOVE NGINX CONFIGURATION
@ -65,4 +64,3 @@ ynh_remove_logrotate

 # Delete a system user
 ynh_system_user_delete $app
-
--- a/sources/configuration.yml
+++ b/sources/configuration.yml
@ -1,13 +0,0 @@
-baseUrl : "https://YNH_APP_DOMAIN/YNH_WWW_PATH"
-databaseConfiguration :
-    host : "localhost"
-    database : "YNH_WWW_APP"
-    username : "YNH_WWW_APP"
-    password : "YNH_DB_PASS"
-adminUser : 
-    username : "YNH_ADMIN_USER"
-    password : "YNH_ADMIN_PASS"
-    password_confirmation : "YNH_ADMIN_PASS"
-    email : "YNH_ADMIN_EMAIL"
-settings : 
-    forum_title : "YNH_FORUM_TITLE"