update login source to ldap-simple

doc/ADMIN.md

@@ -1,5 +1,15 @@
 ## Additional informations
 
+### Known issue about admin access
+This package ask during its installation which group of users should be considered as forgejo administrators. These users should be able to access the admin page of forgejo. But they won't :(
+Two forgejo features are not yet compatible :
+- the reverse proxy authentication (which allows yunohost user to be automatically logged in forgejo)
+- the login source (which tells forgejo to check yunohost users base to know if it is an admin or not)
+
+The choice have been done to keep the reverse proxy authentication. But an [issue](https://codeberg.org/forgejo/forgejo/issues/930) is created to have both features.
+
+In conclusion, this forgejo installation does not (yet) allow to access the forgejo admin page.
+
 ### Notes on SSH usage
 
 If you want to use Forgejo with SSH and be able to pull/push with your SSH key, your SSH daemon must be properly configured to use private/public keys. Here is a sample configuration `/etc/ssh/sshd_config` that works with Forgejo:

manifest.toml

@@ -5,7 +5,7 @@ name = "Forgejo"
 description.en = "Lightweight software forge"
 description.fr = "Forge logiciel légère"
 
-version = "1.19.3-0~ynh1"
+version = "1.19.3-0~ynh2"
 
 maintainers = ["Emmanuel Averty"]
 
@@ -34,15 +34,16 @@ ram.runtime = "2G"
     type = "path"
     default = "/forgejo"
 
-    [install.admin]
-    type = "user"
-
     [install.init_main_permission]
-    help.en = "If enabled, Forgejo will be accessible by people who do not have an account. This can be changed later via the webadmin."
-    help.fr = "Si cette case est cochée, Forgejo sera accessible aux personnes n’ayant pas de compte. Vous pourrez changer ceci plus tard via la webadmin."
     type = "group"
     default = "visitors"
 
+    [install.init_admin_permission]
+    help.en = "Users of this group should have access to Forgejo admin page (but the won't : see application description in yunohost admin)"
+    help.fr = "Les utilisateurs de ce groupe devrait avoir accès à la page d'administration de Forgejo (mais cela ne fonctionne pas : voir la description de l'application dans l'administration de yunohost"
+    type = "group"
+    default = "admins"
+
 [resources]
     [resources.sources.main]
     amd64.url = "https://codeberg.org/attachments/8dc303a9-8a4e-416c-8d6c-62e0d3e289e8"
@@ -68,6 +69,11 @@ ram.runtime = "2G"
     [resources.permissions]
     main.url = "/"
 
+    admin.allowed = "admins"
+    admin.show_tile = false
+    admin.auth_header = false
+    admin.protected = true
+
     [resources.apt]
     packages = "postgresql"
 

scripts/install

@@ -99,7 +99,7 @@ ynh_add_fail2ban_config --logpath "/var/log/$app/forgejo.log" --failregex ".*Fai
 ynh_script_progression --message="Adding LDAP configuration..." --weight=1
 
 pushd "$install_dir"
-	ynh_exec_as $app ./forgejo admin auth add-ldap --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-filter "(&(uid=%s)(objectClass=posixAccount)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" --admin-filter "(permission=cn=$app.admin,ou=permission,dc=yunohost,dc=org)"
+	ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail"
 popd
 
 #=================================================

scripts/upgrade

@@ -28,6 +28,18 @@ ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
 #=================================================
 ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
 
+# Update forgejo login source
+pushd "$install_dir"
+    old_login_source_id=$(ynh_exec_as $app ./forgejo admin auth list | grep "YunoHost LDAP" | grep "via BindDN" | cut -f 1)
+    if [ ! -z $old_login_source_id ]; then
+        # Delete old login source
+        ynh_exec_as $app ./forgejo admin auth delete --id $old_login_source_id
+
+        # Create new login source
+	    ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail"
+    fi
+popd
+
 # forgejo home directory has changed (yunohost packaging v2)
 # .ssh directory should move from old home dir (data_dir) to new one
 # (/var/www/$app is the default value for home in resources.system_user)