From b56654d4c1698464e59169985eaf33c6e87a8e16 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Tue, 14 Jun 2022 00:13:19 +0200 Subject: [PATCH] Manage ADMIN_PASSWORD --- check_process | 1 + conf/hash_generator.py | 5 +++ conf/ihatemoney.cfg | 4 +-- manifest.json | 4 +++ scripts/change_url | 14 +++----- scripts/install | 57 ++++++++++++++++++--------------- scripts/remove | 2 +- scripts/restore | 2 +- scripts/upgrade | 72 +++++++++++++++++++++++++++--------------- 9 files changed, 97 insertions(+), 64 deletions(-) create mode 100644 conf/hash_generator.py diff --git a/check_process b/check_process index 2701aec..e23751c 100644 --- a/check_process +++ b/check_process @@ -3,6 +3,7 @@ domain="domain.tld" path="/path" is_public=1 + password="1Strong-Password" ; Checks pkg_linter=1 setup_sub_dir=1 diff --git a/conf/hash_generator.py b/conf/hash_generator.py new file mode 100644 index 0000000..5b021b7 --- /dev/null +++ b/conf/hash_generator.py @@ -0,0 +1,5 @@ +#!/usr/bin/env python +import sys +from werkzeug.security import generate_password_hash + +print(generate_password_hash(sys.argv[1])) diff --git a/conf/ihatemoney.cfg b/conf/ihatemoney.cfg index 74fb80b..bfd5b90 100644 --- a/conf/ihatemoney.cfg +++ b/conf/ihatemoney.cfg @@ -3,10 +3,10 @@ SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://__DB_USER__:__DB_PWD__@localhost/__DB SQLACHEMY_ECHO = False SQLALCHEMY_TRACK_MODIFICATIONS = False SECRET_KEY = "__SECRET_KEY__" -MAIL_DEFAULT_SENDER = "Budget manager <__MAILS_SENDER__>" +MAIL_DEFAULT_SENDER = "Budget manager " SHOW_ADMIN_EMAIL = False ACTIVATE_DEMO_PROJECT = False -ADMIN_PASSWORD = "RaidW00d" +ADMIN_PASSWORD = "__HASHED_PASSWORD__" ALLOW_PUBLIC_PROJECT_CREATION = True ACTIVATE_ADMIN_DASHBOARD = True SESSION_COOKIE_SECURE = True diff --git a/manifest.json b/manifest.json index 8310e5a..62ebc25 100644 --- a/manifest.json +++ b/manifest.json @@ -50,6 +50,10 @@ "fr": "Les projets ihatemoney sont protégés par un mot de passe dans tous les cas" }, "default": true + }, + { + "name": "password", + "type": "password" } ] } diff --git a/scripts/change_url b/scripts/change_url index 2ca3679..d908eee 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -23,6 +23,8 @@ app=$YNH_APP_INSTANCE_NAME db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) +secret_key=$(ynh_app_setting_get --app=$app --key=secret_key) +hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password) #================================================= # LOAD SETTINGS @@ -115,18 +117,12 @@ fi path_url="$new_path" domain="$new_domain" -# Secret key for cookies encryption. -secret_key=$(ynh_string_random --length 32) -mails_sender="no-reply@$domain" # Allows to comment some config lines if not using sub path sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)" -ynh_backup_if_checksum_is_different --file="$final_path/ihatemoney.cfg" -ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg" - -chmod 750 "$final_path" -chmod -R o-rwx "$final_path" -chown -R $app:www-data "$final_path" +ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg" +chmod 640 "$final_path/ihatemoney.cfg" +chown $app:$app "$final_path/ihatemoney.cfg" #================================================= # GENERIC FINALISATION diff --git a/scripts/install b/scripts/install index d6b8fda..8aafc84 100755 --- a/scripts/install +++ b/scripts/install @@ -26,8 +26,13 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH is_public=$YNH_APP_ARG_IS_PUBLIC +password=$YNH_APP_ARG_PASSWORD + app=$YNH_APP_INSTANCE_NAME +# Secret key for cookies encryption. +secret_key=$(ynh_string_random --length=32) + #================================================= # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS #================================================= @@ -46,6 +51,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=1 ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url +ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key #================================================= # STANDARD MODIFICATIONS @@ -73,20 +79,24 @@ db_name=$(ynh_sanitize_dbid --db_name=$app) db_user=$db_name ynh_app_setting_set --app=$app --key=db_name --value=$db_name ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name -# defines $db_pwd and setting mysqlpwd +db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) #================================================= # SPECIFIC SETUP #================================================= -# Init venv +# BUILD VENV #================================================= -ynh_script_progression --message="Configuring the app's installation..." --weight=6 +ynh_script_progression --message="Building venv..." --weight=6 ynh_app_setting_set --app=$app --key=final_path --value=$final_path __ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}" python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv") +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= @@ -97,35 +107,32 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1 ynh_add_nginx_config #================================================= -# Setup gunicorn +# ADD A CONFIGURATION #================================================= +ynh_script_progression --message="Adding a configuration file..." -ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py" -chmod 644 "$final_path/gunicorn.conf.py" +#run source in a 'sub shell' +( + set +o nounset + source "${final_path}/venv/bin/activate" + set -o nounset + python3 ../conf/hash_generator.py $password > ${final_path}/key.txt +) -#================================================= -# Setup ihatemoney -#================================================= +hashed_password=$(cat $final_path/key.txt) +ynh_secure_remove --file="$final_path/key.txt" +ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password + +ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py" +chmod 640 "$final_path/gunicorn.conf.py" +chown $app:$app "$final_path/gunicorn.conf.py" -# Secret key for cookies encryption. -secret_key=$(ynh_string_random --length 32) -mails_sender="no-reply@$domain" # Allows to comment some config lines if not using sub path sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)" -ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg" +ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg" chmod 640 "$final_path/ihatemoney.cfg" - - -# FIXME: this should be managed by the core in the future -# Here, as a packager, you may have to tweak the ownerhsip/permissions -# such that the appropriate users (e.g. maybe www-data) can access -# files in some cases. -# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - -# this will be treated as a security issue. -chmod 750 "$final_path" -chmod -R o-rwx "$final_path" -chown -R $app:www-data "$final_path" +chown $app:$app "$final_path/ihatemoney.cfg" #================================================= # SETUP SYSTEMD @@ -150,7 +157,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste ynh_script_progression --message="Starting a systemd service..." --weight=1 # Start a systemd service -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30 +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at" # line_match isn't enough because ihatemoney may stop if database upgrades for _ in {1..20}; do diff --git a/scripts/remove b/scripts/remove index 85a39fe..d86d733 100755 --- a/scripts/remove +++ b/scripts/remove @@ -79,7 +79,7 @@ ynh_remove_app_dependencies #================================================= # REMOVE VARIOUS FILES #================================================= -ynh_script_progression --message="Removing configuration files..." --weight=1 +ynh_script_progression --message="Removing various files..." --weight=1 # Remove the log files ynh_secure_remove --file="/var/log/$app" diff --git a/scripts/restore b/scripts/restore index 1bfad6c..e1beb8d 100755 --- a/scripts/restore +++ b/scripts/restore @@ -108,7 +108,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30 +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at" # line_match isn't enough because ihatemoney may stop if database upgrades for _ in {1..20}; do diff --git a/scripts/upgrade b/scripts/upgrade index f09e760..309ca1a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -22,6 +22,8 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) +secret_key=$(ynh_app_setting_get --app=$app --key=secret_key) +hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password) #================================================= # CHECK VERSION @@ -104,6 +106,29 @@ if [[ "$upgrade_from_opt" == "true" ]]; then ynh_app_setting_set --app=$app --key=db_name --value=$db_name fi +# If secret_key doesn't exist, create it +if [ -z "$secret_key" ]; then + secret_key=$(ynh_string_random --length=32) + ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key +fi + +# If hashed_password doesn't exist, create it +if [ -z "$hashed_password" ]; then + password=$(ynh_string_random --length=8) + #run source in a 'sub shell' + ( + set +o nounset + source "${final_path}/venv/bin/activate" + set -o nounset + python3 ../conf/hash_generator.py $password > ${final_path}/key.txt + ) + + hashed_password=$(cat $final_path/key.txt) + ynh_secure_remove --file="$final_path/key.txt" + ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password + ynh_script_progression --message="A new password for $app has been generated, it's $password ..." +fi + #================================================= # CREATE DEDICATED USER #================================================= @@ -122,17 +147,18 @@ ynh_install_app_dependencies "${pkg_dependencies[@]}" #================================================= # SPECIFIC UPGRADE #================================================= -# Init venv +# BUILD VENV #================================================= -ynh_script_progression --message="Configuring the app's installation..." --weight=6 +ynh_script_progression --message="Building venv..." --weight=6 -ynh_app_setting_set --app=$app --key=final_path --value=$final_path - -# MIGRATION: Upgrade venv -python3 -m venv --upgrade "$final_path/venv" -"$final_path/venv/bin/python3" -m pip install --upgrade pip "${pip_dependencies[@]}" +ynh_secure_remove --file="$final_path/venv" +__ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}" python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv") +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= @@ -140,31 +166,23 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - # Create a dedicated NGINX config ## Needs $python_venv_site_packages -ynh_add_nginx_config "PYTHON_VERSION" +ynh_add_nginx_config #================================================= -# Setup gunicorn +# UPDATE A CONFIG FILE #================================================= +ynh_script_progression --message="Updating a configuration file..." -ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py" -chmod 600 "$final_path/gunicorn.conf.py" +ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py" +chmod 640 "$final_path/gunicorn.conf.py" +chown $app:$app "$final_path/gunicorn.conf.py" -#================================================= -# Setup ihatemoney -#================================================= - -# Secret key for cookies encryption. -secret_key=$(ynh_string_random --length 32) -mails_sender="no-reply@$domain" # Allows to comment some config lines if not using sub path sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)" ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg" -chmod 600 "$final_path/ihatemoney.cfg" - -chmod 750 "$final_path" -chmod -R o-rwx "$final_path" -chown -R $app:www-data "$final_path" +chmod 640 "$final_path/ihatemoney.cfg" +chown $app:$app "$final_path/ihatemoney.cfg" #================================================= # SETUP SYSTEMD @@ -188,11 +206,13 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste #================================================= ynh_script_progression --message="Starting a systemd service..." --weight=1 -ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30 +ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at" # line_match isn't enough because ihatemoney may stop if database upgrades -# FIXME: We need to wait for the db to upgrade and gunicorn to restart! -sleep 3 +for _ in {1..20}; do + test -S /tmp/budget.gunicorn_$app.sock && break + sleep 1 +done #================================================= # RELOAD NGINX