YunoHost-Apps/lufi_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/lufi_ynh.git synced 2024-09-03 19:36:28 +02:00
Code Issues Activity Actions

Allow LDAP on public install

Browse source 
also upgrade and remove legacy permission
This commit is contained in:
tytan652 2022-01-19 20:47:13 +01:00
parent ea12f5cb8c
commit 223706b1e9
6 changed files with 77 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
check_process
View file

@ -5,6 +5,7 @@
path="/path" path="/path"
max_file_size=100 max_file_size=100
is_public=1 is_public=1
use_ldap=0
admin="john" admin="john"
; Checks ; Checks
pkg_linter=1 pkg_linter=1

28
conf/lufi.conf.template
View file

@ -199,20 +199,20 @@
# set `ldap` if you want that only authenticated users can upload files # set `ldap` if you want that only authenticated users can upload files
# please note that everybody can still download files # please note that everybody can still download files
# optional, no default # optional, no default
__IS_PUBLIC__ldap => { __USE_LDAP__ldap => {
__IS_PUBLIC__ uri => 'ldap://localhost:389', # server URI __USE_LDAP__ uri => 'ldap://localhost:389', # server URI
__IS_PUBLIC__ user_tree => 'dc=yunohost,dc=org', # search base DN __USE_LDAP__ user_tree => 'dc=yunohost,dc=org', # search base DN
__IS_PUBLIC__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN __USE_LDAP__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN
__IS_PUBLIC__ #bind_pwd => 'secr3t', # search bind password __USE_LDAP__ #bind_pwd => 'secr3t', # search bind password
__IS_PUBLIC__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) __USE_LDAP__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.)
__IS_PUBLIC__ #user_filter => '(!(uid=ldap_user))', # user filter (to exclude some users, etc.) __USE_LDAP__ user_filter => '(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))', # user filter (to exclude some users, etc.)
__IS_PUBLIC__ # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls __USE_LDAP__ # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls
__IS_PUBLIC__ # don't set or uncomment if you don't want to configure it __USE_LDAP__ # don't set or uncomment if you don't want to configure it
__IS_PUBLIC__ #start_tls => { __USE_LDAP__ #start_tls => {
__IS_PUBLIC__ # verify => 'optional', __USE_LDAP__ # verify => 'optional',
__IS_PUBLIC__ # clientcert => '/etc/ssl/certs/ca-bundle.pem' __USE_LDAP__ # clientcert => '/etc/ssl/certs/ca-bundle.pem'
__IS_PUBLIC__ #} __USE_LDAP__ #}
__IS_PUBLIC__}, __USE_LDAP__},
# if you've set ldap above, the session will last `session_duration` seconds before # if you've set ldap above, the session will last `session_duration` seconds before
# the user needs to reauthenticate # the user needs to reauthenticate

17
manifest.json
View file

@ -48,9 +48,26 @@
"example": "100", "example": "100",
"default": "100" "default": "100"
}, },
{
"name": "use_ldap",
"type": "boolean",
"ask": {
"en": "Install Lufi with LDAP configuration?",
"fr": "Installer Lufi avec la configuration LDAP ?"
},
"help": {
"en": "A Lufi with LDAP enabled will allow only YunoHost users to upload.",
"fr": "Un Lufi avec LDAP activé autorisera seulement les utilisateurs YunoHost à téléverser."
},
"default": false
},
{ {
"name": "is_public", "name": "is_public",
"type": "boolean", "type": "boolean",
"help": {
"en": "A public Lufi will be publicly visible for everyone.",
"fr": "Un Lufi public sera visible publiquement pour tous."
},
"default": true "default": true
} }
] ]

27
scripts/change_url
View file

@ -31,7 +31,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
# Add settings here as needed by your application # Add settings here as needed by your application
port=$(ynh_app_setting_get --app=$app --key=port) port=$(ynh_app_setting_get --app=$app --key=port)
is_public=$(ynh_app_setting_get --app=$app --key=is_public) use_ldap=$(ynh_app_setting_get --app=$app --key=use_ldap)
db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_name=$(ynh_app_setting_get --app=$app --key=db_name)
db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd)
db_user=$db_name db_user=$db_name
@ -133,35 +133,18 @@ if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit
ynh_replace_string --match_string="max_file_size" --replace_string="#max_file_size" --target_file="$config" ynh_replace_string --match_string="max_file_size" --replace_string="#max_file_size" --target_file="$config"
fi fi
ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config"
if [ $is_public -eq 0 ]; if [ $use_ldap -eq 1 ];
then then
ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config"
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config"
else else
ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config"
fi fi
ynh_store_file_checksum --file="$config" ynh_store_file_checksum --file="$config"
chmod 600 $final_path/lufi.conf chmod 600 $final_path/lufi.conf
chown $app:$app $final_path/lufi.conf chown $app:$app $final_path/lufi.conf
#=================================================
# UPDATE SSOWAT
#=================================================
ynh_script_progression --message="Reconfiguring permissions..."
ynh_permission_update --permission="main" --add="visitors"
if [ $is_public -eq 0 ]
then
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats$","$domain_regex$path_url/manifest.webapp$","$domain_regex$path_url/$","$domain_regex$path_url/d/.*$","$domain_regex$path_url/m/.*$"
fi
#================================================= #=================================================
# GENERIC FINALISATION # GENERIC FINALISATION
#================================================= #=================================================

22
scripts/install
View file

@ -27,6 +27,7 @@ domain=$YNH_APP_ARG_DOMAIN
path_url=$YNH_APP_ARG_PATH path_url=$YNH_APP_ARG_PATH
max_file_size=$YNH_APP_ARG_MAX_FILE_SIZE max_file_size=$YNH_APP_ARG_MAX_FILE_SIZE
is_public=$YNH_APP_ARG_IS_PUBLIC is_public=$YNH_APP_ARG_IS_PUBLIC
use_ldap=$YNH_APP_ARG_USE_LDAP
secret=$(ynh_string_random --length=24) secret=$(ynh_string_random --length=24)
app=$YNH_APP_INSTANCE_NAME app=$YNH_APP_INSTANCE_NAME
@ -54,7 +55,7 @@ ynh_script_progression --message="Storing installation settings..."
ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=domain --value=$domain
ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=path --value=$path_url
ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=use_ldap --value=$use_ldap
ynh_app_setting_set --app=$app --key=max_file_size --value=$max_file_size ynh_app_setting_set --app=$app --key=max_file_size --value=$max_file_size
ynh_app_setting_set --app=$app --key=secret --value=$secret ynh_app_setting_set --app=$app --key=secret --value=$secret
@ -139,11 +140,12 @@ if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit
fi fi
ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config"
if [ $is_public -eq 0 ]; if [ $use_ldap -eq 1 ];
then then
ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config"
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config"
else else
ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config"
fi fi
ynh_store_file_checksum --file="$config" ynh_store_file_checksum --file="$config"
@ -204,17 +206,9 @@ ynh_systemd_action --service_name=$app --action="start" --line_match="Creating p
#================================================= #=================================================
ynh_script_progression --message="Configuring permissions..." ynh_script_progression --message="Configuring permissions..."
ynh_permission_update --permission="main" --add="visitors" if [ $is_public -eq 1 ]
if [ $is_public -eq 0 ]
then then
if [ "$path_url" == "/" ]; then ynh_permission_update --permission="main" --add="visitors"
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats$","$domain_regex$path_url/manifest.webapp$","$domain_regex$path_url/$","$domain_regex$path_url/d/.*$","$domain_regex$path_url/m/.*$"
fi fi
#================================================= #=================================================

55
scripts/upgrade
View file

@ -18,7 +18,7 @@ app=$YNH_APP_INSTANCE_NAME
domain=$(ynh_app_setting_get --app=$app --key=domain) domain=$(ynh_app_setting_get --app=$app --key=domain)
path_url=$(ynh_app_setting_get --app=$app --key=path) path_url=$(ynh_app_setting_get --app=$app --key=path)
is_public=$(ynh_app_setting_get --app=$app --key=is_public) use_ldap=$(ynh_app_setting_get --app=$app --key=use_ldap)
port=$(ynh_app_setting_get --app=$app --key=port) port=$(ynh_app_setting_get --app=$app --key=port)
final_path=$(ynh_app_setting_get --app=$app --key=final_path) final_path=$(ynh_app_setting_get --app=$app --key=final_path)
secret=$(ynh_app_setting_get --app=$app --key=secret) secret=$(ynh_app_setting_get --app=$app --key=secret)
@ -70,10 +70,36 @@ if [ -z "$max_file_size" ]; then
ynh_app_setting_set --app=$app --key=max_file_size --value=$max_file_size ynh_app_setting_set --app=$app --key=max_file_size --value=$max_file_size
fi fi
# Cleaning legacy permissions # Check if is_public settings exist and is set to true
was_public=$(ynh_app_setting_get --app=$app --key=is_public)
if [ $was_public -eq 1 ]
then
# Fix permissions if true
ynh_print_info --message="Upgrading from legacy permission..."
ynh_print_info --message="Legacy public instance detected, allow visitors with new permission."
use_ldap=0
# Add new permission to allow visitors
ynh_permission_update --permission="main" --add="visitors"
# Remove deprecated is_public settings
ynh_app_setting_delete --app=$app --key=is_public
fi
# Check if legacy permissions exists (meanning that is_public was set to false)
if ynh_legacy_permissions_exists; then if ynh_legacy_permissions_exists; then
ynh_print_info --message="Upgrading from legacy permission..."
ynh_print_info --message="Legacy private instance detected, keep LDAP enabled."
# Legacy private install have LDAP enabled
use_ldap=1
# Cleaning legacy permissions
ynh_print_info --message="Removing legacy permission..."
ynh_legacy_permissions_delete_all ynh_legacy_permissions_delete_all
# Remove deprecated is_public settings
ynh_app_setting_delete --app=$app --key=is_public ynh_app_setting_delete --app=$app --key=is_public
fi fi
@ -145,11 +171,12 @@ if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit
fi fi
ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config"
if [ $is_public -eq 0 ]; if [ $use_ldap -eq 1 ];
then then
ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config"
ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config"
else else
ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config"
fi fi
ynh_store_file_checksum --file="$config" ynh_store_file_checksum --file="$config"
@ -197,24 +224,6 @@ ynh_script_progression --message="Upgrading systemd configuration..."
# Create a dedicated systemd config # Create a dedicated systemd config
ynh_add_systemd_config ynh_add_systemd_config
#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Upgrading permissions..."
ynh_permission_update --permission="main" --add="visitors"
if [ $is_public -eq 0 ]
then
if [ "$path_url" == "/" ]; then
# If the path is /, clear it to prevent any error with the regex.
path_url=""
fi
# Modify the domain to be used in a regex
domain_regex=$(echo "$domain" | sed 's@-@.@g')
ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats$","$domain_regex$path_url/manifest.webapp$","$domain_regex$path_url/$","$domain_regex$path_url/d/.*$","$domain_regex$path_url/m/.*$"
fi
#================================================= #=================================================
# START SYSTEMD SERVICE # START SYSTEMD SERVICE
#================================================= #=================================================