1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/ihatemoney_ynh.git synced 2024-09-03 19:26:15 +02:00

Manage ADMIN_PASSWORD

This commit is contained in:
yalh76 2022-06-14 00:13:19 +02:00
parent fcb0b1150c
commit b56654d4c1
9 changed files with 97 additions and 64 deletions

View file

@ -3,6 +3,7 @@
domain="domain.tld" domain="domain.tld"
path="/path" path="/path"
is_public=1 is_public=1
password="1Strong-Password"
; Checks ; Checks
pkg_linter=1 pkg_linter=1
setup_sub_dir=1 setup_sub_dir=1

5
conf/hash_generator.py Normal file
View file

@ -0,0 +1,5 @@
#!/usr/bin/env python
import sys
from werkzeug.security import generate_password_hash
print(generate_password_hash(sys.argv[1]))

View file

@ -3,10 +3,10 @@ SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://__DB_USER__:__DB_PWD__@localhost/__DB
SQLACHEMY_ECHO = False SQLACHEMY_ECHO = False
SQLALCHEMY_TRACK_MODIFICATIONS = False SQLALCHEMY_TRACK_MODIFICATIONS = False
SECRET_KEY = "__SECRET_KEY__" SECRET_KEY = "__SECRET_KEY__"
MAIL_DEFAULT_SENDER = "Budget manager <__MAILS_SENDER__>" MAIL_DEFAULT_SENDER = "Budget manager <no-reply@__DOMAIN__>"
SHOW_ADMIN_EMAIL = False SHOW_ADMIN_EMAIL = False
ACTIVATE_DEMO_PROJECT = False ACTIVATE_DEMO_PROJECT = False
ADMIN_PASSWORD = "RaidW00d" ADMIN_PASSWORD = "__HASHED_PASSWORD__"
ALLOW_PUBLIC_PROJECT_CREATION = True ALLOW_PUBLIC_PROJECT_CREATION = True
ACTIVATE_ADMIN_DASHBOARD = True ACTIVATE_ADMIN_DASHBOARD = True
SESSION_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True

View file

@ -50,6 +50,10 @@
"fr": "Les projets ihatemoney sont protégés par un mot de passe dans tous les cas" "fr": "Les projets ihatemoney sont protégés par un mot de passe dans tous les cas"
}, },
"default": true "default": true
},
{
"name": "password",
"type": "password"
} }
] ]
} }

View file

@ -23,6 +23,8 @@ app=$YNH_APP_INSTANCE_NAME
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password)
#================================================= #=================================================
# LOAD SETTINGS # LOAD SETTINGS
@ -115,18 +117,12 @@ fi
path_url="$new_path" path_url="$new_path"
domain="$new_domain" domain="$new_domain"
# Secret key for cookies encryption.
secret_key=$(ynh_string_random --length 32)
mails_sender="no-reply@$domain"
# Allows to comment some config lines if not using sub path # Allows to comment some config lines if not using sub path
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)" sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
ynh_backup_if_checksum_is_different --file="$final_path/ihatemoney.cfg" ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg" chmod 640 "$final_path/ihatemoney.cfg"
chown $app:$app "$final_path/ihatemoney.cfg"
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#================================================= #=================================================
# GENERIC FINALISATION # GENERIC FINALISATION

View file

@ -26,8 +26,13 @@ ynh_abort_if_errors
domain=$YNH_APP_ARG_DOMAIN domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH path_url=$YNH_APP_ARG_PATH
is_public=$YNH_APP_ARG_IS_PUBLIC is_public=$YNH_APP_ARG_IS_PUBLIC
password=$YNH_APP_ARG_PASSWORD
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
# Secret key for cookies encryption.
secret_key=$(ynh_string_random --length=32)
#================================================= #=================================================
# CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
#================================================= #=================================================
@ -46,6 +51,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=1
ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
#================================================= #=================================================
# STANDARD MODIFICATIONS # STANDARD MODIFICATIONS
@ -73,20 +79,24 @@ db_name=$(ynh_sanitize_dbid --db_name=$app)
db_user=$db_name db_user=$db_name
ynh_app_setting_set --app=$app --key=db_name --value=$db_name ynh_app_setting_set --app=$app --key=db_name --value=$db_name
ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
# defines $db_pwd and setting mysqlpwd db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
#================================================= #=================================================
# SPECIFIC SETUP # SPECIFIC SETUP
#================================================= #=================================================
# Init venv # BUILD VENV
#================================================= #=================================================
ynh_script_progression --message="Configuring the app's installation..." --weight=6 ynh_script_progression --message="Building venv..." --weight=6
ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_app_setting_set --app=$app --key=final_path --value=$final_path
__ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}" __ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}"
python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv") python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#================================================= #=================================================
# NGINX CONFIGURATION # NGINX CONFIGURATION
#================================================= #=================================================
@ -97,35 +107,32 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1
ynh_add_nginx_config ynh_add_nginx_config
#================================================= #=================================================
# Setup gunicorn # ADD A CONFIGURATION
#================================================= #=================================================
ynh_script_progression --message="Adding a configuration file..."
ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py" #run source in a 'sub shell'
chmod 644 "$final_path/gunicorn.conf.py" (
set +o nounset
source "${final_path}/venv/bin/activate"
set -o nounset
python3 ../conf/hash_generator.py $password > ${final_path}/key.txt
)
#================================================= hashed_password=$(cat $final_path/key.txt)
# Setup ihatemoney ynh_secure_remove --file="$final_path/key.txt"
#================================================= ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py"
chmod 640 "$final_path/gunicorn.conf.py"
chown $app:$app "$final_path/gunicorn.conf.py"
# Secret key for cookies encryption.
secret_key=$(ynh_string_random --length 32)
mails_sender="no-reply@$domain"
# Allows to comment some config lines if not using sub path # Allows to comment some config lines if not using sub path
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)" sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg" ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
chmod 640 "$final_path/ihatemoney.cfg" chmod 640 "$final_path/ihatemoney.cfg"
chown $app:$app "$final_path/ihatemoney.cfg"
# FIXME: this should be managed by the core in the future
# Here, as a packager, you may have to tweak the ownerhsip/permissions
# such that the appropriate users (e.g. maybe www-data) can access
# files in some cases.
# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
# this will be treated as a security issue.
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#================================================= #=================================================
# SETUP SYSTEMD # SETUP SYSTEMD
@ -150,7 +157,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_script_progression --message="Starting a systemd service..." --weight=1
# Start a systemd service # Start a systemd service
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"
# line_match isn't enough because ihatemoney may stop if database upgrades # line_match isn't enough because ihatemoney may stop if database upgrades
for _ in {1..20}; do for _ in {1..20}; do

View file

@ -79,7 +79,7 @@ ynh_remove_app_dependencies
#================================================= #=================================================
# REMOVE VARIOUS FILES # REMOVE VARIOUS FILES
#================================================= #=================================================
ynh_script_progression --message="Removing configuration files..." --weight=1 ynh_script_progression --message="Removing various files..." --weight=1
# Remove the log files # Remove the log files
ynh_secure_remove --file="/var/log/$app" ynh_secure_remove --file="/var/log/$app"

View file

@ -108,7 +108,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
#================================================= #=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"
# line_match isn't enough because ihatemoney may stop if database upgrades # line_match isn't enough because ihatemoney may stop if database upgrades
for _ in {1..20}; do for _ in {1..20}; do

View file

@ -22,6 +22,8 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_user=$db_name db_user=$db_name
db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd) db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password)
#================================================= #=================================================
# CHECK VERSION # CHECK VERSION
@ -104,6 +106,29 @@ if [[ "$upgrade_from_opt" == "true" ]]; then
ynh_app_setting_set --app=$app --key=db_name --value=$db_name ynh_app_setting_set --app=$app --key=db_name --value=$db_name
fi fi
# If secret_key doesn't exist, create it
if [ -z "$secret_key" ]; then
secret_key=$(ynh_string_random --length=32)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
fi
# If hashed_password doesn't exist, create it
if [ -z "$hashed_password" ]; then
password=$(ynh_string_random --length=8)
#run source in a 'sub shell'
(
set +o nounset
source "${final_path}/venv/bin/activate"
set -o nounset
python3 ../conf/hash_generator.py $password > ${final_path}/key.txt
)
hashed_password=$(cat $final_path/key.txt)
ynh_secure_remove --file="$final_path/key.txt"
ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
ynh_script_progression --message="A new password for $app has been generated, it's $password ..."
fi
#================================================= #=================================================
# CREATE DEDICATED USER # CREATE DEDICATED USER
#================================================= #=================================================
@ -122,17 +147,18 @@ ynh_install_app_dependencies "${pkg_dependencies[@]}"
#================================================= #=================================================
# SPECIFIC UPGRADE # SPECIFIC UPGRADE
#================================================= #=================================================
# Init venv # BUILD VENV
#================================================= #=================================================
ynh_script_progression --message="Configuring the app's installation..." --weight=6 ynh_script_progression --message="Building venv..." --weight=6
ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_secure_remove --file="$final_path/venv"
__ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}"
# MIGRATION: Upgrade venv
python3 -m venv --upgrade "$final_path/venv"
"$final_path/venv/bin/python3" -m pip install --upgrade pip "${pip_dependencies[@]}"
python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv") python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#================================================= #=================================================
# NGINX CONFIGURATION # NGINX CONFIGURATION
#================================================= #=================================================
@ -140,31 +166,23 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -
# Create a dedicated NGINX config # Create a dedicated NGINX config
## Needs $python_venv_site_packages ## Needs $python_venv_site_packages
ynh_add_nginx_config "PYTHON_VERSION" ynh_add_nginx_config
#================================================= #=================================================
# Setup gunicorn # UPDATE A CONFIG FILE
#================================================= #=================================================
ynh_script_progression --message="Updating a configuration file..."
ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py" ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py"
chmod 600 "$final_path/gunicorn.conf.py" chmod 640 "$final_path/gunicorn.conf.py"
chown $app:$app "$final_path/gunicorn.conf.py"
#=================================================
# Setup ihatemoney
#=================================================
# Secret key for cookies encryption.
secret_key=$(ynh_string_random --length 32)
mails_sender="no-reply@$domain"
# Allows to comment some config lines if not using sub path # Allows to comment some config lines if not using sub path
sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)" sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"
ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg" ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
chmod 600 "$final_path/ihatemoney.cfg" chmod 640 "$final_path/ihatemoney.cfg"
chown $app:$app "$final_path/ihatemoney.cfg"
chmod 750 "$final_path"
chmod -R o-rwx "$final_path"
chown -R $app:www-data "$final_path"
#================================================= #=================================================
# SETUP SYSTEMD # SETUP SYSTEMD
@ -188,11 +206,13 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
#================================================= #=================================================
ynh_script_progression --message="Starting a systemd service..." --weight=1 ynh_script_progression --message="Starting a systemd service..." --weight=1
ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30 ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"
# line_match isn't enough because ihatemoney may stop if database upgrades # line_match isn't enough because ihatemoney may stop if database upgrades
# FIXME: We need to wait for the db to upgrade and gunicorn to restart! for _ in {1..20}; do
sleep 3 test -S /tmp/budget.gunicorn_$app.sock && break
sleep 1
done
#================================================= #=================================================
# RELOAD NGINX # RELOAD NGINX