From 8b5577525d97800c3741e42692ffc2410bc001de Mon Sep 17 00:00:00 2001 From: Emmanuel Averty Date: Sun, 25 Jun 2023 12:11:59 +0200 Subject: [PATCH] update login source to ldap-simple --- doc/ADMIN.md | 10 ++++++++++ manifest.toml | 18 ++++++++++++------ scripts/install | 2 +- scripts/upgrade | 12 ++++++++++++ 4 files changed, 35 insertions(+), 7 deletions(-) diff --git a/doc/ADMIN.md b/doc/ADMIN.md index 3ab6c7f..64f8110 100644 --- a/doc/ADMIN.md +++ b/doc/ADMIN.md @@ -1,5 +1,15 @@ ## Additional informations +### Known issue about admin access +This package ask during its installation which group of users should be considered as forgejo administrators. These users should be able to access the admin page of forgejo. But they won't :( +Two forgejo features are not yet compatible : +- the reverse proxy authentication (which allows yunohost user to be automatically logged in forgejo) +- the login source (which tells forgejo to check yunohost users base to know if it is an admin or not) + +The choice have been done to keep the reverse proxy authentication. But an [issue](https://codeberg.org/forgejo/forgejo/issues/930) is created to have both features. + +In conclusion, this forgejo installation does not (yet) allow to access the forgejo admin page. + ### Notes on SSH usage If you want to use Forgejo with SSH and be able to pull/push with your SSH key, your SSH daemon must be properly configured to use private/public keys. Here is a sample configuration `/etc/ssh/sshd_config` that works with Forgejo: diff --git a/manifest.toml b/manifest.toml index 64cb608..0a766fb 100644 --- a/manifest.toml +++ b/manifest.toml @@ -5,7 +5,7 @@ name = "Forgejo" description.en = "Lightweight software forge" description.fr = "Forge logiciel légère" -version = "1.19.3-0~ynh1" +version = "1.19.3-0~ynh2" maintainers = ["Emmanuel Averty"] @@ -34,15 +34,16 @@ ram.runtime = "2G" type = "path" default = "/forgejo" - [install.admin] - type = "user" - [install.init_main_permission] - help.en = "If enabled, Forgejo will be accessible by people who do not have an account. This can be changed later via the webadmin." - help.fr = "Si cette case est cochée, Forgejo sera accessible aux personnes n’ayant pas de compte. Vous pourrez changer ceci plus tard via la webadmin." type = "group" default = "visitors" + [install.init_admin_permission] + help.en = "Users of this group should have access to Forgejo admin page (but the won't : see application description in yunohost admin)" + help.fr = "Les utilisateurs de ce groupe devrait avoir accès à la page d'administration de Forgejo (mais cela ne fonctionne pas : voir la description de l'application dans l'administration de yunohost" + type = "group" + default = "admins" + [resources] [resources.sources.main] amd64.url = "https://codeberg.org/attachments/8dc303a9-8a4e-416c-8d6c-62e0d3e289e8" @@ -68,6 +69,11 @@ ram.runtime = "2G" [resources.permissions] main.url = "/" + admin.allowed = "admins" + admin.show_tile = false + admin.auth_header = false + admin.protected = true + [resources.apt] packages = "postgresql" diff --git a/scripts/install b/scripts/install index 243f1b4..62ec90e 100644 --- a/scripts/install +++ b/scripts/install @@ -99,7 +99,7 @@ ynh_add_fail2ban_config --logpath "/var/log/$app/forgejo.log" --failregex ".*Fai ynh_script_progression --message="Adding LDAP configuration..." --weight=1 pushd "$install_dir" - ynh_exec_as $app ./forgejo admin auth add-ldap --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-filter "(&(uid=%s)(objectClass=posixAccount)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" --admin-filter "(permission=cn=$app.admin,ou=permission,dc=yunohost,dc=org)" + ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" popd #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 88afa1b..8eb2520 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -28,6 +28,18 @@ ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd" #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 +# Update forgejo login source +pushd "$install_dir" + old_login_source_id=$(ynh_exec_as $app ./forgejo admin auth list | grep "YunoHost LDAP" | grep "via BindDN" | cut -f 1) + if [ ! -z $old_login_source_id ]; then + # Delete old login source + ynh_exec_as $app ./forgejo admin auth delete --id $old_login_source_id + + # Create new login source + ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" + fi +popd + # forgejo home directory has changed (yunohost packaging v2) # .ssh directory should move from old home dir (data_dir) to new one # (/var/www/$app is the default value for home in resources.system_user)