Manage ADMIN_PASSWORD

2024-09-03 19:26:15 +02:00 · 2022-06-14 00:13:19 +02:00 · 2022-06-14 00:13:19 +02:00 · b56654d4c1
commit b56654d4c1
parent fcb0b1150c
9 changed files with 97 additions and 64 deletions
--- a/1
+++ b/1
@ -3,6 +3,7 @@
 		domain="domain.tld"
 		path="/path"
 		is_public=1
+		password="1Strong-Password"
 	; Checks
 		pkg_linter=1
 		setup_sub_dir=1
--- a/conf/hash_generator.py
+++ b/conf/hash_generator.py
@ -0,0 +1,5 @@
+#!/usr/bin/env python
+import sys
+from werkzeug.security import generate_password_hash
+
+print(generate_password_hash(sys.argv[1]))
--- a/conf/ihatemoney.cfg
+++ b/conf/ihatemoney.cfg
@ -3,10 +3,10 @@ SQLALCHEMY_DATABASE_URI = 'mysql+pymysql://__DB_USER__:__DB_PWD__@localhost/__DB
 SQLACHEMY_ECHO = False
 SQLALCHEMY_TRACK_MODIFICATIONS = False
 SECRET_KEY = "__SECRET_KEY__"
-MAIL_DEFAULT_SENDER = "Budget manager <__MAILS_SENDER__>"
+MAIL_DEFAULT_SENDER = "Budget manager <no-reply@__DOMAIN__>"
 SHOW_ADMIN_EMAIL = False
 ACTIVATE_DEMO_PROJECT = False
-ADMIN_PASSWORD = "RaidW00d"
+ADMIN_PASSWORD = "__HASHED_PASSWORD__"
 ALLOW_PUBLIC_PROJECT_CREATION = True
 ACTIVATE_ADMIN_DASHBOARD = True
 SESSION_COOKIE_SECURE = True
--- a/manifest.json
+++ b/manifest.json
@ -50,6 +50,10 @@
                    "fr": "Les projets ihatemoney sont protégés par un mot de passe dans tous les cas"
                },
                "default": true
+            },
+            {
+                "name": "password",
+                "type": "password"
            }
        ]
    }
--- a/scripts/change_url
+++ b/scripts/change_url
@ -23,6 +23,8 @@ app=$YNH_APP_INSTANCE_NAME
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 db_user=$db_name
 db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
+secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
+hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password)

 #=================================================
 # LOAD SETTINGS
@ -115,18 +117,12 @@ fi
 path_url="$new_path"
 domain="$new_domain"

-# Secret key for cookies encryption.
-secret_key=$(ynh_string_random --length 32)
-mails_sender="no-reply@$domain"
 # Allows to comment some config lines if not using sub path
 sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"

-ynh_backup_if_checksum_is_different --file="$final_path/ihatemoney.cfg"
-ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg"
-
-chmod 750 "$final_path"
-chmod -R o-rwx "$final_path"
-chown -R $app:www-data "$final_path"
+ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
+chmod 640 "$final_path/ihatemoney.cfg"
+chown $app:$app "$final_path/ihatemoney.cfg"

 #=================================================
 # GENERIC FINALISATION
--- a/scripts/install
+++ b/scripts/install
@ -26,8 +26,13 @@ ynh_abort_if_errors
 domain=$YNH_APP_ARG_DOMAIN
 path_url=$YNH_APP_ARG_PATH
 is_public=$YNH_APP_ARG_IS_PUBLIC
+password=$YNH_APP_ARG_PASSWORD
+
 app=$YNH_APP_INSTANCE_NAME

+# Secret key for cookies encryption.
+secret_key=$(ynh_string_random --length=32)
+
 #=================================================
 # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
 #=================================================
@ -46,6 +51,7 @@ ynh_script_progression --message="Storing installation settings..." --weight=1

 ynh_app_setting_set --app=$app --key=domain --value=$domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
+ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key

 #=================================================
 # STANDARD MODIFICATIONS
@ -73,20 +79,24 @@ db_name=$(ynh_sanitize_dbid --db_name=$app)
 db_user=$db_name
 ynh_app_setting_set --app=$app --key=db_name --value=$db_name
 ynh_mysql_setup_db --db_user=$db_user --db_name=$db_name
-# defines $db_pwd and setting mysqlpwd
+db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)

 #=================================================
 # SPECIFIC SETUP
 #=================================================
-# Init venv
+# BUILD VENV
 #=================================================
-ynh_script_progression --message="Configuring the app's installation..." --weight=6
+ynh_script_progression --message="Building venv..." --weight=6

 ynh_app_setting_set --app=$app --key=final_path --value=$final_path

 __ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}"
 python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")

+chmod 750 "$final_path"
+chmod -R o-rwx "$final_path"
+chown -R $app:www-data "$final_path"
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -97,35 +107,32 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=1
 ynh_add_nginx_config

 #=================================================
-# Setup gunicorn
+# ADD A CONFIGURATION
 #=================================================
+ynh_script_progression --message="Adding a configuration file..."

-ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py"
-chmod 644 "$final_path/gunicorn.conf.py"
+#run source in a 'sub shell'
+(
+	set +o nounset
+	source "${final_path}/venv/bin/activate"
+	set -o nounset
+	python3 ../conf/hash_generator.py $password > ${final_path}/key.txt
+)

-#=================================================
-# Setup ihatemoney
-#=================================================
+hashed_password=$(cat $final_path/key.txt)
+ynh_secure_remove --file="$final_path/key.txt"
+ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
+
+ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py"
+chmod 640 "$final_path/gunicorn.conf.py"
+chown $app:$app "$final_path/gunicorn.conf.py"

-# Secret key for cookies encryption.
-secret_key=$(ynh_string_random --length 32)
-mails_sender="no-reply@$domain"
 # Allows to comment some config lines if not using sub path
 sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"

-ynh_add_config --template ../conf/ihatemoney.cfg --destination "$final_path/ihatemoney.cfg"
+ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
 chmod 640 "$final_path/ihatemoney.cfg"
-
-
-# FIXME: this should be managed by the core in the future
-# Here, as a packager, you may have to tweak the ownerhsip/permissions
-# such that the appropriate users (e.g. maybe www-data) can access
-# files in some cases.
-# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder -
-# this will be treated as a security issue.
-chmod 750 "$final_path"
-chmod -R o-rwx "$final_path"
-chown -R $app:www-data "$final_path"
+chown $app:$app "$final_path/ihatemoney.cfg"

 #=================================================
 # SETUP SYSTEMD
@ -150,7 +157,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
 ynh_script_progression --message="Starting a systemd service..." --weight=1

 # Start a systemd service
-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"

 # line_match isn't enough because ihatemoney may stop if database upgrades
 for _ in {1..20}; do
--- a/scripts/remove
+++ b/scripts/remove
@ -79,7 +79,7 @@ ynh_remove_app_dependencies
 #=================================================
 # REMOVE VARIOUS FILES
 #=================================================
-ynh_script_progression --message="Removing configuration files..." --weight=1
+ynh_script_progression --message="Removing various files..." --weight=1

 # Remove the log files
 ynh_secure_remove --file="/var/log/$app"
--- a/scripts/restore
+++ b/scripts/restore
@ -108,7 +108,7 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1

-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"

 # line_match isn't enough because ihatemoney may stop if database upgrades
 for _ in {1..20}; do
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -22,6 +22,8 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 db_user=$db_name
 db_pwd=$(ynh_app_setting_get --app=$app --key=mysqlpwd)
+secret_key=$(ynh_app_setting_get --app=$app --key=secret_key)
+hashed_password=$(ynh_app_setting_get --app=$app --key=hashed_password)

 #=================================================
 # CHECK VERSION
@ -104,6 +106,29 @@ if [[ "$upgrade_from_opt" == "true" ]]; then
 	ynh_app_setting_set --app=$app --key=db_name --value=$db_name
 fi

+# If secret_key doesn't exist, create it
+if [ -z "$secret_key" ]; then
+	secret_key=$(ynh_string_random --length=32)
+	ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
+fi
+
+# If hashed_password doesn't exist, create it
+if [ -z "$hashed_password" ]; then
+	password=$(ynh_string_random --length=8)
+	#run source in a 'sub shell'
+	(
+		set +o nounset
+		source "${final_path}/venv/bin/activate"
+		set -o nounset
+		python3 ../conf/hash_generator.py $password > ${final_path}/key.txt
+	)
+
+	hashed_password=$(cat $final_path/key.txt)
+	ynh_secure_remove --file="$final_path/key.txt"
+	ynh_app_setting_set --app=$app --key=hashed_password --value=$hashed_password
+	ynh_script_progression --message="A new password for $app has been generated, it's $password ..."
+fi
+
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -122,17 +147,18 @@ ynh_install_app_dependencies "${pkg_dependencies[@]}"
 #=================================================
 # SPECIFIC UPGRADE
 #=================================================
-# Init venv
+# BUILD VENV
 #=================================================
-ynh_script_progression --message="Configuring the app's installation..." --weight=6
+ynh_script_progression --message="Building venv..." --weight=6

-ynh_app_setting_set --app=$app --key=final_path --value=$final_path
-
-# MIGRATION: Upgrade venv
-python3 -m venv --upgrade "$final_path/venv"
-"$final_path/venv/bin/python3" -m pip install --upgrade pip "${pip_dependencies[@]}"
+ynh_secure_remove --file="$final_path/venv"
+__ynh_python_venv_setup --venv_dir="$final_path/venv" --packages "${pip_dependencies[*]}"
 python_venv_site_packages=$(__ynh_python_venv_get_site_packages_dir -d "$final_path/venv")

+chmod 750 "$final_path"
+chmod -R o-rwx "$final_path"
+chown -R $app:www-data "$final_path"
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -140,31 +166,23 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." -

 # Create a dedicated NGINX config
 ## Needs $python_venv_site_packages
-ynh_add_nginx_config "PYTHON_VERSION"
+ynh_add_nginx_config

 #=================================================
-# Setup gunicorn
+# UPDATE A CONFIG FILE
 #=================================================
+ynh_script_progression --message="Updating a configuration file..."

-ynh_add_config --template ../conf/gunicorn.conf.py --destination "$final_path/gunicorn.conf.py"
-chmod 600 "$final_path/gunicorn.conf.py"
+ynh_add_config --template="../conf/gunicorn.conf.py" --destination="$final_path/gunicorn.conf.py"
+chmod 640 "$final_path/gunicorn.conf.py"
+chown $app:$app "$final_path/gunicorn.conf.py"

-#=================================================
-# Setup ihatemoney
-#=================================================
-
-# Secret key for cookies encryption.
-secret_key=$(ynh_string_random --length 32)
-mails_sender="no-reply@$domain"
 # Allows to comment some config lines if not using sub path
 sub_path_only="$(if [[ "$path_url" == "/" ]]; then echo '# ' ; else echo ''; fi)"

 ynh_add_config --template="../conf/ihatemoney.cfg" --destination="$final_path/ihatemoney.cfg"
-chmod 600 "$final_path/ihatemoney.cfg"
-
-chmod 750 "$final_path"
-chmod -R o-rwx "$final_path"
-chown -R $app:www-data "$final_path"
+chmod 640 "$final_path/ihatemoney.cfg"
+chown $app:$app "$final_path/ihatemoney.cfg"

 #=================================================
 # SETUP SYSTEMD
@ -188,11 +206,13 @@ yunohost service add $app --description="$app daemon for IHateMoney" --log=syste
 #=================================================
 ynh_script_progression --message="Starting a systemd service..." --weight=1

-ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Booting worker" --timeout 30
+ynh_systemd_action --service_name=$app --action="start" --log_path="systemd" --line_match="Listening at"

 # line_match isn't enough because ihatemoney may stop if database upgrades
-# FIXME: We need to wait for the db to upgrade and gunicorn to restart!
-sleep 3
+for _ in {1..20}; do
+	test -S /tmp/budget.gunicorn_$app.sock && break
+	sleep 1
+done

 #=================================================
 # RELOAD NGINX