From 223706b1e93ca158e13eb41097396a4f9b5045eb Mon Sep 17 00:00:00 2001 From: tytan652 Date: Wed, 19 Jan 2022 20:47:13 +0100 Subject: [PATCH 1/8] Allow LDAP on public install also upgrade and remove legacy permission --- check_process | 1 + conf/lufi.conf.template | 28 ++++++++++----------- manifest.json | 17 +++++++++++++ scripts/change_url | 27 ++++---------------- scripts/install | 22 ++++++----------- scripts/upgrade | 55 ++++++++++++++++++++++++----------------- 6 files changed, 77 insertions(+), 73 deletions(-) diff --git a/check_process b/check_process index e177dbf..4b77609 100644 --- a/check_process +++ b/check_process @@ -5,6 +5,7 @@ path="/path" max_file_size=100 is_public=1 + use_ldap=0 admin="john" ; Checks pkg_linter=1 diff --git a/conf/lufi.conf.template b/conf/lufi.conf.template index 7057dbe..75a5c33 100644 --- a/conf/lufi.conf.template +++ b/conf/lufi.conf.template @@ -199,20 +199,20 @@ # set `ldap` if you want that only authenticated users can upload files # please note that everybody can still download files # optional, no default - __IS_PUBLIC__ldap => { - __IS_PUBLIC__ uri => 'ldap://localhost:389', # server URI - __IS_PUBLIC__ user_tree => 'dc=yunohost,dc=org', # search base DN - __IS_PUBLIC__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN - __IS_PUBLIC__ #bind_pwd => 'secr3t', # search bind password - __IS_PUBLIC__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) - __IS_PUBLIC__ #user_filter => '(!(uid=ldap_user))', # user filter (to exclude some users, etc.) - __IS_PUBLIC__ # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls - __IS_PUBLIC__ # don't set or uncomment if you don't want to configure it - __IS_PUBLIC__ #start_tls => { - __IS_PUBLIC__ # verify => 'optional', - __IS_PUBLIC__ # clientcert => '/etc/ssl/certs/ca-bundle.pem' - __IS_PUBLIC__ #} - __IS_PUBLIC__}, + __USE_LDAP__ldap => { + __USE_LDAP__ uri => 'ldap://localhost:389', # server URI + __USE_LDAP__ user_tree => 'dc=yunohost,dc=org', # search base DN + __USE_LDAP__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN + __USE_LDAP__ #bind_pwd => 'secr3t', # search bind password + __USE_LDAP__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) + __USE_LDAP__ user_filter => '(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))', # user filter (to exclude some users, etc.) + __USE_LDAP__ # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls + __USE_LDAP__ # don't set or uncomment if you don't want to configure it + __USE_LDAP__ #start_tls => { + __USE_LDAP__ # verify => 'optional', + __USE_LDAP__ # clientcert => '/etc/ssl/certs/ca-bundle.pem' + __USE_LDAP__ #} + __USE_LDAP__}, # if you've set ldap above, the session will last `session_duration` seconds before # the user needs to reauthenticate diff --git a/manifest.json b/manifest.json index 938f162..939be96 100644 --- a/manifest.json +++ b/manifest.json @@ -48,9 +48,26 @@ "example": "100", "default": "100" }, + { + "name": "use_ldap", + "type": "boolean", + "ask": { + "en": "Install Lufi with LDAP configuration?", + "fr": "Installer Lufi avec la configuration LDAP ?" + }, + "help": { + "en": "A Lufi with LDAP enabled will allow only YunoHost users to upload.", + "fr": "Un Lufi avec LDAP activé autorisera seulement les utilisateurs YunoHost à téléverser." + }, + "default": false + }, { "name": "is_public", "type": "boolean", + "help": { + "en": "A public Lufi will be publicly visible for everyone.", + "fr": "Un Lufi public sera visible publiquement pour tous." + }, "default": true } ] diff --git a/scripts/change_url b/scripts/change_url index 17b4b74..9d52ff1 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -31,7 +31,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) # Add settings here as needed by your application port=$(ynh_app_setting_get --app=$app --key=port) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) +use_ldap=$(ynh_app_setting_get --app=$app --key=use_ldap) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_pwd=$(ynh_app_setting_get --app=$app --key=psqlpwd) db_user=$db_name @@ -133,35 +133,18 @@ if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit ynh_replace_string --match_string="max_file_size" --replace_string="#max_file_size" --target_file="$config" fi ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" -if [ $is_public -eq 0 ]; +if [ $use_ldap -eq 1 ]; then - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" + ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config" + ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config" else - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" + ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config" fi ynh_store_file_checksum --file="$config" chmod 600 $final_path/lufi.conf chown $app:$app $final_path/lufi.conf -#================================================= -# UPDATE SSOWAT -#================================================= -ynh_script_progression --message="Reconfiguring permissions..." - -ynh_permission_update --permission="main" --add="visitors" - -if [ $is_public -eq 0 ] -then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats$","$domain_regex$path_url/manifest.webapp$","$domain_regex$path_url/$","$domain_regex$path_url/d/.*$","$domain_regex$path_url/m/.*$" -fi - #================================================= # GENERIC FINALISATION #================================================= diff --git a/scripts/install b/scripts/install index c186fdf..b400437 100644 --- a/scripts/install +++ b/scripts/install @@ -27,6 +27,7 @@ domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH max_file_size=$YNH_APP_ARG_MAX_FILE_SIZE is_public=$YNH_APP_ARG_IS_PUBLIC +use_ldap=$YNH_APP_ARG_USE_LDAP secret=$(ynh_string_random --length=24) app=$YNH_APP_INSTANCE_NAME @@ -54,7 +55,7 @@ ynh_script_progression --message="Storing installation settings..." ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=is_public --value=$is_public +ynh_app_setting_set --app=$app --key=use_ldap --value=$use_ldap ynh_app_setting_set --app=$app --key=max_file_size --value=$max_file_size ynh_app_setting_set --app=$app --key=secret --value=$secret @@ -139,11 +140,12 @@ if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit fi ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" -if [ $is_public -eq 0 ]; +if [ $use_ldap -eq 1 ]; then - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" + ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config" + ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config" else - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" + ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config" fi ynh_store_file_checksum --file="$config" @@ -204,17 +206,9 @@ ynh_systemd_action --service_name=$app --action="start" --line_match="Creating p #================================================= ynh_script_progression --message="Configuring permissions..." -ynh_permission_update --permission="main" --add="visitors" - -if [ $is_public -eq 0 ] +if [ $is_public -eq 1 ] then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats$","$domain_regex$path_url/manifest.webapp$","$domain_regex$path_url/$","$domain_regex$path_url/d/.*$","$domain_regex$path_url/m/.*$" + ynh_permission_update --permission="main" --add="visitors" fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 0e94262..6056ed6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -18,7 +18,7 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) +use_ldap=$(ynh_app_setting_get --app=$app --key=use_ldap) port=$(ynh_app_setting_get --app=$app --key=port) final_path=$(ynh_app_setting_get --app=$app --key=final_path) secret=$(ynh_app_setting_get --app=$app --key=secret) @@ -70,10 +70,36 @@ if [ -z "$max_file_size" ]; then ynh_app_setting_set --app=$app --key=max_file_size --value=$max_file_size fi -# Cleaning legacy permissions +# Check if is_public settings exist and is set to true +was_public=$(ynh_app_setting_get --app=$app --key=is_public) +if [ $was_public -eq 1 ] +then + # Fix permissions if true + ynh_print_info --message="Upgrading from legacy permission..." + ynh_print_info --message="Legacy public instance detected, allow visitors with new permission." + use_ldap=0 + + # Add new permission to allow visitors + ynh_permission_update --permission="main" --add="visitors" + + # Remove deprecated is_public settings + ynh_app_setting_delete --app=$app --key=is_public +fi + +# Check if legacy permissions exists (meanning that is_public was set to false) if ynh_legacy_permissions_exists; then + + ynh_print_info --message="Upgrading from legacy permission..." + ynh_print_info --message="Legacy private instance detected, keep LDAP enabled." + + # Legacy private install have LDAP enabled + use_ldap=1 + + # Cleaning legacy permissions + ynh_print_info --message="Removing legacy permission..." ynh_legacy_permissions_delete_all + # Remove deprecated is_public settings ynh_app_setting_delete --app=$app --key=is_public fi @@ -145,11 +171,12 @@ if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit fi ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" -if [ $is_public -eq 0 ]; +if [ $use_ldap -eq 1 ]; then - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="" --target_file="$config" + ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config" + ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config" else - ynh_replace_string --match_string="__IS_PUBLIC__" --replace_string="#" --target_file="$config" + ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config" fi ynh_store_file_checksum --file="$config" @@ -197,24 +224,6 @@ ynh_script_progression --message="Upgrading systemd configuration..." # Create a dedicated systemd config ynh_add_systemd_config -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading permissions..." - -ynh_permission_update --permission="main" --add="visitors" - -if [ $is_public -eq 0 ] -then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats$","$domain_regex$path_url/manifest.webapp$","$domain_regex$path_url/$","$domain_regex$path_url/d/.*$","$domain_regex$path_url/m/.*$" -fi - #================================================= # START SYSTEMD SERVICE #================================================= From 8d3a052a238e1d456507b64f6af0783bbada3938 Mon Sep 17 00:00:00 2001 From: tytan652 Date: Wed, 19 Jan 2022 21:01:53 +0100 Subject: [PATCH 2/8] Use add_config rather than various replace_string --- conf/lufi.conf.template | 30 +++++++++++++++--------------- scripts/change_url | 28 +++++++++------------------- scripts/install | 27 ++++++++------------------- scripts/upgrade | 28 ++++++++-------------------- 4 files changed, 40 insertions(+), 73 deletions(-) diff --git a/conf/lufi.conf.template b/conf/lufi.conf.template index 75a5c33..20993f6 100644 --- a/conf/lufi.conf.template +++ b/conf/lufi.conf.template @@ -59,7 +59,7 @@ # max file size, in octets # you can write it 100*1024*1024 # optional, no default - max_file_size => __MAX_FILE_SIZE__*1024*1024, + __MAX_SIZE_SET__max_file_size => __MAX_FILE_SIZE__*1024*1024, # if you want to have piwik statistics, provide a piwik image tracker # only the image tracker is allowed, no javascript @@ -199,20 +199,20 @@ # set `ldap` if you want that only authenticated users can upload files # please note that everybody can still download files # optional, no default - __USE_LDAP__ldap => { - __USE_LDAP__ uri => 'ldap://localhost:389', # server URI - __USE_LDAP__ user_tree => 'dc=yunohost,dc=org', # search base DN - __USE_LDAP__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN - __USE_LDAP__ #bind_pwd => 'secr3t', # search bind password - __USE_LDAP__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) - __USE_LDAP__ user_filter => '(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))', # user filter (to exclude some users, etc.) - __USE_LDAP__ # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls - __USE_LDAP__ # don't set or uncomment if you don't want to configure it - __USE_LDAP__ #start_tls => { - __USE_LDAP__ # verify => 'optional', - __USE_LDAP__ # clientcert => '/etc/ssl/certs/ca-bundle.pem' - __USE_LDAP__ #} - __USE_LDAP__}, + __LDAP__ldap => { + __LDAP__ uri => 'ldap://localhost:389', # server URI + __LDAP__ user_tree => 'dc=yunohost,dc=org', # search base DN + __LDAP__ bind_dn => 'ou=users,dc=yunohost,dc=org', # search bind DN + __LDAP__ #bind_pwd => 'secr3t', # search bind password + __LDAP__ user_attr => 'uid', # user attribute (uid, mail, sAMAccountName, etc.) + __LDAP__ user_filter => '(&(objectClass=posixAccount)(permission=cn=__APP__.main,ou=permission,dc=yunohost,dc=org))', # user filter (to exclude some users, etc.) + __LDAP__ # optional start_tls configuration. See https://metacpan.org/pod/distribution/perl-ldap/lib/Net/LDAP.pod#start_tls + __LDAP__ # don't set or uncomment if you don't want to configure it + __LDAP__ #start_tls => { + __LDAP__ # verify => 'optional', + __LDAP__ # clientcert => '/etc/ssl/certs/ca-bundle.pem' + __LDAP__ #} + __LDAP__}, # if you've set ldap above, the session will last `session_duration` seconds before # the user needs to reauthenticate diff --git a/scripts/change_url b/scripts/change_url index 9d52ff1..46cadcf 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -119,28 +119,18 @@ ynh_script_progression --message="Configuring lufi..." domain="$new_domain" path_url="$new_path" -config=${final_path}/lufi.conf -ynh_backup_if_checksum_is_different --file="$config" -cp ../conf/lufi.conf.template "$config" -ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$config" -ynh_replace_string --match_string="__PATH__" --replace_string="$path_url" --target_file="$config" -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$config" -ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$config" -ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_user" --target_file="$config" -ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$config" -ynh_replace_string --match_string="__MAX_FILE_SIZE__" --replace_string="$max_file_size" --target_file="$config" -if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit - ynh_replace_string --match_string="max_file_size" --replace_string="#max_file_size" --target_file="$config" -fi -ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" +ldap="#" if [ $use_ldap -eq 1 ]; then - ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config" - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config" -else - ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config" + ldap="" fi -ynh_store_file_checksum --file="$config" + +max_size_set="" +if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit + max_size_set="#" +fi + +ynh_add_config --template="../conf/lufi.conf.template" --destination="$final_path/lufi.conf" chmod 600 $final_path/lufi.conf chown $app:$app $final_path/lufi.conf diff --git a/scripts/install b/scripts/install index b400437..848bd44 100644 --- a/scripts/install +++ b/scripts/install @@ -126,29 +126,18 @@ ynh_add_nginx_config max_file_size #================================================= ynh_script_progression --message="Configuring $app..." -config=${final_path}/lufi.conf -cp ../conf/lufi.conf.template "$config" -ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$config" -ynh_replace_string --match_string="__PATH__" --replace_string="$path_url" --target_file="$config" -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$config" -ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$config" -ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_user" --target_file="$config" -ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$config" -ynh_replace_string --match_string="__MAX_FILE_SIZE__" --replace_string="$max_file_size" --target_file="$config" -if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit - ynh_replace_string --match_string="max_file_size" --replace_string="#max_file_size" --target_file="$config" -fi -ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" - +ldap="#" if [ $use_ldap -eq 1 ]; then - ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config" - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config" -else - ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config" + ldap="" fi -ynh_store_file_checksum --file="$config" +max_size_set="" +if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit + max_size_set="#" +fi + +ynh_add_config --template="../conf/lufi.conf.template" --destination="$final_path/lufi.conf" chmod 600 $final_path/lufi.conf chown $app:$app $final_path/lufi.conf diff --git a/scripts/upgrade b/scripts/upgrade index 6056ed6..1d9d4b3 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -156,30 +156,18 @@ ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies #================================================= ynh_script_progression --message="Configuring Lufi..." -config=${final_path}/lufi.conf -ynh_backup_if_checksum_is_different --file="$config" -cp ../conf/lufi.conf.template "$config" -ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file="$config" -ynh_replace_string --match_string="__PATH__" --replace_string="$path_url" --target_file="$config" -ynh_replace_string --match_string="__PORT__" --replace_string="$port" --target_file="$config" -ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$config" -ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_user" --target_file="$config" -ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$config" -ynh_replace_string --match_string="__MAX_FILE_SIZE__" --replace_string="$max_file_size" --target_file="$config" -if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit - ynh_replace_string --match_string="max_file_size" --replace_string="#max_file_size" --target_file="$config" -fi -ynh_replace_string --match_string="__SECRET__" --replace_string="$secret" --target_file="$config" - +ldap="#" if [ $use_ldap -eq 1 ]; then - ynh_replace_string --match_string="__USE_LDAP__" --replace_string="" --target_file="$config" - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file="$config" -else - ynh_replace_string --match_string="__USE_LDAP__" --replace_string="#" --target_file="$config" + ldap="" fi -ynh_store_file_checksum --file="$config" +max_size_set="" +if [ $max_file_size -eq 0 ]; then # Comment the limitation line if no limit + max_size_set="#" +fi + +ynh_add_config --template="../conf/lufi.conf.template" --destination="$final_path/lufi.conf" chmod 600 $final_path/lufi.conf chown $app:$app $final_path/lufi.conf From 9d213cc2b601b8e226555045aec0276598f374b6 Mon Sep 17 00:00:00 2001 From: tytan652 Date: Wed, 19 Jan 2022 21:03:00 +0100 Subject: [PATCH 3/8] Remove deprecated redirect in nginx config also bump YunoHost minimal version to 4.3 --- conf/nginx.conf | 4 ---- manifest.json | 2 +- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 215fb2d..6c8afbc 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,10 +1,6 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } - # This is important for user's privacy! access_log off; error_log /var/log/nginx/lufi.error.log; diff --git a/manifest.json b/manifest.json index 939be96..5432fbd 100644 --- a/manifest.json +++ b/manifest.json @@ -20,7 +20,7 @@ "email": "win10@tutanota.com, cyp@rouquin.me" }, "requirements": { - "yunohost": ">= 4.2.3" + "yunohost": ">= 4.3" }, "multi_instance": true, "services": [ From 277dae360152eef13344c50c1b39557513e3bf76 Mon Sep 17 00:00:00 2001 From: tytan652 Date: Wed, 19 Jan 2022 21:03:13 +0100 Subject: [PATCH 4/8] Bump package version --- manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.json b/manifest.json index 5432fbd..1724075 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Self hosting files and sharing anonymous application", "fr": "Application d'hébergement et de partage de fichiers anonyme" }, - "version": "0.05.16~ynh1", + "version": "0.05.16~ynh2", "url": "https://git.framasoft.org/luc/lufi", "upstream": { "license": "AGPL-3.0-or-later", From 0047292a569ab507360fe69554301c84e4c8455c Mon Sep 17 00:00:00 2001 From: yalh76 Date: Thu, 27 Jan 2022 02:40:24 +0100 Subject: [PATCH 5/8] Apply last example_ynh --- check_process | 6 +-- conf/nginx.conf | 48 ++++++++++----------- doc/DESCRIPTION.md | 6 +++ manifest.json | 102 ++++++++++++++++++++++----------------------- scripts/backup | 4 +- scripts/change_url | 6 +-- scripts/install | 4 +- scripts/remove | 36 +++++++--------- scripts/restore | 30 ++++++------- scripts/upgrade | 68 +++++++++++------------------- 10 files changed, 144 insertions(+), 166 deletions(-) create mode 100644 doc/DESCRIPTION.md diff --git a/check_process b/check_process index e177dbf..42a096b 100644 --- a/check_process +++ b/check_process @@ -3,9 +3,9 @@ ; Manifest domain="domain.tld" path="/path" - max_file_size=100 - is_public=1 admin="john" + is_public=1 + max_file_size=100 ; Checks pkg_linter=1 setup_sub_dir=1 @@ -15,7 +15,7 @@ setup_public=1 upgrade=1 # 0.03.5 - upgrade=1 from_commit=23e84578464b1fa09f79c98b6a9b5f19bbcf83f3 + upgrade=1 from_commit=23e84578464b1fa09f79c98b6a9b5f19bbcf83f3 backup_restore=1 multi_instance=1 change_url=1 diff --git a/conf/nginx.conf b/conf/nginx.conf index 215fb2d..44b2d54 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,37 +1,33 @@ #sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; location __PATH__/ { - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } + # This is important for user's privacy! + access_log off; + error_log /var/log/nginx/lufi.error.log; - # This is important for user's privacy! - access_log off; - error_log /var/log/nginx/lufi.error.log; + # This is important! Make it OK with your Lutim configuration + client_max_body_size __MAX_FILE_SIZE__M; - # This is important! Make it OK with your Lutim configuration - client_max_body_size __MAX_FILE_SIZE__M; + if ($request_uri ~* ^/(img|css|font|js)/) { + more_set_headers "Cache-Control: public, max-age=315360000"; + } - if ($request_uri ~* ^/(img|css|font|js)/) { - more_set_headers "Cache-Control: public, max-age=315360000"; - } + proxy_pass http://127.0.0.1:__PORT____PATH__; - proxy_pass http://127.0.0.1:__PORT____PATH__; + # Really important! Lufi uses WebSocket, it won't work without this + proxy_set_header Upgrade $http_upgrade ; + proxy_set_header Connection "upgrade" ; - # Really important! Lufi uses WebSocket, it won't work without this - proxy_set_header Upgrade $http_upgrade ; - proxy_set_header Connection "upgrade" ; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Remote-Port $remote_port; + proxy_set_header X-Forwarded-Proto $scheme; - proxy_http_version 1.1; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Remote-Port $remote_port; - proxy_set_header X-Forwarded-Proto $scheme; + # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrite$ + proxy_redirect off; - # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrite$ - proxy_redirect off; - - # Include SSOWAT user panel. - include conf.d/yunohost_panel.conf.inc; + # Include SSOWAT user panel. + include conf.d/yunohost_panel.conf.inc; } diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md new file mode 100644 index 0000000..4d9f867 --- /dev/null +++ b/doc/DESCRIPTION.md @@ -0,0 +1,6 @@ +It stores files and allows you to download them. + +Is that all? No. All the files are encrypted **by the browser**! It means that your files **never** leave your computer unencrypted. +The administrator of the Lufi instance you use will not be able to see what is in your file, neither will your network administrator, or your ISP. + +The encryption key part of the URL is a anchor (Cf. [Fragment Identifier](https://en.wikipedia.org/wiki/Fragment_identifier)), that means this part is only processed client-side and does not reach the server. :-) diff --git a/manifest.json b/manifest.json index 938f162..feaa6a1 100644 --- a/manifest.json +++ b/manifest.json @@ -1,58 +1,58 @@ { - "name": "Lufi", - "id": "lufi", - "packaging_format": 1, - "description": { - "en": "Self hosting files and sharing anonymous application", - "fr": "Application d'hébergement et de partage de fichiers anonyme" - }, - "version": "0.05.16~ynh1", - "url": "https://git.framasoft.org/luc/lufi", - "upstream": { + "name": "Lufi", + "id": "lufi", + "packaging_format": 1, + "description": { + "en": "Self hosting files and sharing anonymous application", + "fr": "Application d'hébergement et de partage de fichiers anonyme" + }, + "version": "0.05.16~ynh1", + "url": "https://git.framasoft.org/luc/lufi", + "upstream": { "license": "AGPL-3.0-or-later", "demo": "https://demo.lufi.io/", "admindoc": "https://framagit.org/luc/lufi/wikis/home", "code": "https://framagit.org/fiat-tux/hat-softwares/lufi" }, - "license": "AGPL-3.0-or-later", - "maintainer": { - "name": "frju365, cyp", - "email": "win10@tutanota.com, cyp@rouquin.me" - }, - "requirements": { - "yunohost": ">= 4.2.3" - }, - "multi_instance": true, - "services": [ - "nginx" - ], - "arguments": { - "install": [ - { - "name": "domain", - "type": "domain" - }, - { - "name": "path", - "type": "path", - "example": "/lufi", - "default": "/lufi" - }, - { - "name": "max_file_size", - "type": "string", - "ask": { - "en": "Choose a max file size, in Mo (0 = no limit)", - "fr": "Choisissez une taille de fichier maximum chemin, en Mo (0 = pas de limite)" - }, - "example": "100", - "default": "100" - }, - { - "name": "is_public", - "type": "boolean", - "default": true - } - ] - } + "license": "AGPL-3.0-or-later", + "maintainer": { + "name": "frju365, cyp", + "email": "win10@tutanota.com, cyp@rouquin.me" + }, + "requirements": { + "yunohost": ">= 4.3.0" + }, + "multi_instance": true, + "services": [ + "nginx" + ], + "arguments": { + "install": [ + { + "name": "domain", + "type": "domain" + }, + { + "name": "path", + "type": "path", + "example": "/lufi", + "default": "/lufi" + }, + { + "name": "is_public", + "type": "boolean", + "default": true + }, + { + "name": "max_file_size", + "type": "string", + "ask": { + "en": "Choose a max file size, in Mo (0 = no limit)", + "fr": "Choisissez une taille de fichier maximum chemin, en Mo (0 = pas de limite)" + }, + "example": "100", + "default": "100" + } + ] + } } diff --git a/scripts/backup b/scripts/backup index 111d116..dbd2762 100644 --- a/scripts/backup +++ b/scripts/backup @@ -6,7 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= -#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts +# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers @@ -63,7 +63,7 @@ ynh_backup --src_path="/etc/logrotate.d/$app" ynh_backup --src_path="/etc/systemd/system/$app.service" #================================================= -# BACKUP A CRON FILE +# BACKUP VARIOUS FILES #================================================= ynh_backup --src_path="/etc/cron.d/$app" diff --git a/scripts/change_url b/scripts/change_url index 17b4b74..3e6e7ff 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -39,7 +39,7 @@ secret=$(ynh_app_setting_get --app=$app --key=secret) max_file_size=$(ynh_app_setting_get --app=$app --key=max_file_size) #================================================= -# BACKUP BEFORE UPGRADE THEN ACTIVE TRAP +# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP #================================================= ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." @@ -49,7 +49,7 @@ ynh_clean_setup () { # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" - # restore it if the upgrade fails + # Restore it if the upgrade fails ynh_restore_upgradebackup } # Exit if an error occurs during the execution of the script @@ -96,7 +96,7 @@ then domain="$old_domain" path_url="$new_path" # Create a dedicated NGINX config - ynh_add_nginx_config max_file_size + ynh_add_nginx_config fi # Change the domain for NGINX diff --git a/scripts/install b/scripts/install index c186fdf..8937cfd 100644 --- a/scripts/install +++ b/scripts/install @@ -25,8 +25,8 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -max_file_size=$YNH_APP_ARG_MAX_FILE_SIZE is_public=$YNH_APP_ARG_IS_PUBLIC +max_file_size=$YNH_APP_ARG_MAX_FILE_SIZE secret=$(ynh_string_random --length=24) app=$YNH_APP_INSTANCE_NAME @@ -116,7 +116,7 @@ chown -R $app:www-data "$final_path" ynh_script_progression --message="Configuring NGINX web server..." # Create a dedicated NGINX config -ynh_add_nginx_config max_file_size +ynh_add_nginx_config #================================================= # SPECIFIC SETUP diff --git a/scripts/remove b/scripts/remove index 0cca7d3..61cf84f 100644 --- a/scripts/remove +++ b/scripts/remove @@ -31,7 +31,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) # Remove the service from the list of services known by YunoHost (added from `yunohost service add`) if ynh_exec_warn_less yunohost service status $app >/dev/null then - ynh_script_progression --message="Removing $app service..." + ynh_script_progression --message="Removing $app service integration..." yunohost service remove $app fi @@ -43,6 +43,14 @@ ynh_script_progression --message="Stopping and removing the systemd service..." # Remove the dedicated systemd config ynh_remove_systemd_config +#================================================= +# REMOVE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Removing logrotate configuration..." + +# Remove the app-specific logrotate config +ynh_remove_logrotate + #================================================= # REMOVE THE POSTGRESQL DATABASE #================================================= @@ -51,14 +59,6 @@ ynh_script_progression --message="Removing the PostgreSQL database..." # Remove a database if it exists, along with the associated user ynh_psql_remove_db --db_user="$db_user" --db_name="$db_name" -#================================================= -# REMOVE DEPENDENCIES -#================================================= -ynh_script_progression --message="Removing dependencies..." - -# Remove metapackage and its dependencies -ynh_remove_app_dependencies - #================================================= # REMOVE APP MAIN DIR #================================================= @@ -76,28 +76,24 @@ ynh_script_progression --message="Removing NGINX web server configuration..." ynh_remove_nginx_config #================================================= -# REMOVE LOGROTATE CONFIGURATION +# REMOVE DEPENDENCIES #================================================= -ynh_script_progression --message="Removing logrotate configuration..." +ynh_script_progression --message="Removing dependencies..." -# Remove the app-specific logrotate config -ynh_remove_logrotate +# Remove metapackage and its dependencies +ynh_remove_app_dependencies #================================================= # SPECIFIC REMOVE #================================================= -# REMOVE THE CRON FILE +# REMOVE VARIOUS FILES #================================================= -ynh_script_progression --message="Removing the cron file..." +ynh_script_progression --message="Removing various files..." # Remove a cron file ynh_secure_remove --file="/etc/cron.d/$app" -#================================================= -# REMOVE LOG -#================================================= -ynh_script_progression --message="Removing the log file..." - +# Remove the log files ynh_secure_remove --file="/var/log/$app" #================================================= diff --git a/scripts/restore b/scripts/restore index c9bb718..17d0466 100644 --- a/scripts/restore +++ b/scripts/restore @@ -6,7 +6,7 @@ # IMPORT GENERIC HELPERS #================================================= -#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts +# Keep this path for calling _common.sh inside the execution's context of backup and restore scripts source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers @@ -89,6 +89,13 @@ ynh_psql_test_if_first_run ynh_psql_setup_db --db_user=$db_user --db_name=$db_name --db_pwd=$db_pwd ynh_psql_execute_file_as_root --file="./db.sql" --database="$db_name" +#================================================= +# RESTORE VARIOUS FILES +#================================================= +ynh_script_progression --message="Restoring various files..." + +ynh_restore_file --origin_path="/etc/cron.d/$app" + #================================================= # RESTORE SYSTEMD #================================================= @@ -97,6 +104,13 @@ ynh_script_progression --message="Restoring the systemd configuration..." ynh_restore_file --origin_path="/etc/systemd/system/$app.service" systemctl enable $app.service --quiet +#================================================= +# RESTORE THE LOGROTATE CONFIGURATION +#================================================= +ynh_script_progression --message="Restoring the logrotate configuration..." + +ynh_restore_file --origin_path="/etc/logrotate.d/$app" + #================================================= # INTEGRATE SERVICE IN YUNOHOST #================================================= @@ -111,20 +125,6 @@ ynh_script_progression --message="Starting a systemd service..." ynh_systemd_action --service_name=$app --action="start" --log_path="$final_path/log/production.log" --line_match="Creating process id file" -#================================================= -# RESTORE THE CRON FILE -#================================================= -ynh_script_progression --message="Restoring the cron file..." - -ynh_restore_file --origin_path="/etc/cron.d/$app" - -#================================================= -# RESTORE THE LOGROTATE CONFIGURATION -#================================================= -ynh_script_progression --message="Restoring the logrotate configuration..." - -ynh_restore_file --origin_path="/etc/logrotate.d/$app" - #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 0e94262..5b6c18a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -30,6 +30,7 @@ max_file_size=$(ynh_app_setting_get --app=$app --key=max_file_size) #================================================= # CHECK VERSION #================================================= +ynh_script_progression --message="Checking version..." upgrade_type=$(ynh_check_app_version_changed) @@ -42,12 +43,21 @@ ynh_script_progression --message="Backing up the app before upgrading (may take ynh_backup_before_upgrade ynh_clean_setup () { ynh_clean_check_starting - # restore it if the upgrade fails + # Restore it if the upgrade fails ynh_restore_upgradebackup } # Exit if an error occurs during the execution of the script ynh_abort_if_errors +#================================================= +# STANDARD UPGRADE STEPS +#================================================= +# STOP SYSTEMD SERVICE +#================================================= +ynh_script_progression --message="Stopping a systemd service..." + +ynh_systemd_action --service_name=$app --action=stop --log_path="$final_path/log/production.log" + #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= @@ -70,22 +80,6 @@ if [ -z "$max_file_size" ]; then ynh_app_setting_set --app=$app --key=max_file_size --value=$max_file_size fi -# Cleaning legacy permissions -if ynh_legacy_permissions_exists; then - ynh_legacy_permissions_delete_all - - ynh_app_setting_delete --app=$app --key=is_public -fi - -#================================================= -# STANDARD UPGRADE STEPS -#================================================= -# STOP SYSTEMD SERVICE -#================================================= -ynh_script_progression --message="Stopping a systemd service..." - -ynh_systemd_action --service_name=$app --action=stop --log_path="$final_path/log/production.log" - #================================================= # CREATE DEDICATED USER #================================================= @@ -115,8 +109,8 @@ chown -R $app:www-data "$final_path" #================================================= ynh_script_progression --message="Upgrading NGINX web server configuration..." -# Create a dedicated nginx config -ynh_add_nginx_config max_file_size +# Create a dedicated NGINX config +ynh_add_nginx_config #================================================= # UPGRADE DEPENDENCIES @@ -125,6 +119,8 @@ ynh_script_progression --message="Upgrading dependencies..." ynh_exec_warn_less ynh_install_app_dependencies $pkg_dependencies +#================================================= +# SPECIFIC UPGRADE #================================================= # SETUP LUFI #================================================= @@ -175,12 +171,15 @@ ynh_add_config --template="../conf/cron_lufi" --destination="/etc/cron.d/$app" chmod +x $final_path/script/lufi #================================================= -# ADVERTISE SERVICE IN ADMIN PANEL +# SETUP SYSTEMD #================================================= -ynh_script_progression --message="Storing the config file checksum..." +ynh_script_progression --message="Upgrading systemd configuration..." -yunohost service add $app --description="Lufi service" --log="$final_path/log/production.log" +# Create a dedicated systemd config +ynh_add_systemd_config +#================================================= +# GENERIC FINALIZATION #================================================= # SETUP LOGROTATE #================================================= @@ -190,30 +189,11 @@ ynh_script_progression --message="Upgrading logrotate configuration..." ynh_use_logrotate --non-append #================================================= -# SETUP SYSTEMD +# INTEGRATE SERVICE IN YUNOHOST #================================================= -ynh_script_progression --message="Upgrading systemd configuration..." +ynh_script_progression --message="Integrating service in YunoHost..." -# Create a dedicated systemd config -ynh_add_systemd_config - -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading permissions..." - -ynh_permission_update --permission="main" --add="visitors" - -if [ $is_public -eq 0 ] -then - if [ "$path_url" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - path_url="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/stats$","$domain_regex$path_url/manifest.webapp$","$domain_regex$path_url/$","$domain_regex$path_url/d/.*$","$domain_regex$path_url/m/.*$" -fi +yunohost service add $app --description="Lufi service" --log="$final_path/log/production.log" #================================================= # START SYSTEMD SERVICE From 6283a6418564fcfff1a857e57ae19f10b1301ff0 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Thu, 27 Jan 2022 01:40:30 +0000 Subject: [PATCH 6/8] Auto-update README --- README.md | 8 +++++++- README_fr.md | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bb83230..bba031d 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,13 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -Self hosting files and sharing anonymous application +It stores files and allows you to download them. + +Is that all? No. All the files are encrypted **by the browser**! It means that your files **never** leave your computer unencrypted. +The administrator of the Lufi instance you use will not be able to see what is in your file, neither will your network administrator, or your ISP. + +The encryption key part of the URL is a anchor (Cf. [Fragment Identifier](https://en.wikipedia.org/wiki/Fragment_identifier)), that means this part is only processed client-side and does not reach the server. :-) + **Shipped version:** 0.05.16~ynh1 diff --git a/README_fr.md b/README_fr.md index 236fe6f..4eed290 100644 --- a/README_fr.md +++ b/README_fr.md @@ -11,7 +11,13 @@ Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour ## Vue d'ensemble -Application d'hébergement et de partage de fichiers anonyme +It stores files and allows you to download them. + +Is that all? No. All the files are encrypted **by the browser**! It means that your files **never** leave your computer unencrypted. +The administrator of the Lufi instance you use will not be able to see what is in your file, neither will your network administrator, or your ISP. + +The encryption key part of the URL is a anchor (Cf. [Fragment Identifier](https://en.wikipedia.org/wiki/Fragment_identifier)), that means this part is only processed client-side and does not reach the server. :-) + **Version incluse :** 0.05.16~ynh1 From af0cc3851411d51dbb1b3181b2f070d95a3c3752 Mon Sep 17 00:00:00 2001 From: yalh76 Date: Sun, 30 Jan 2022 15:11:42 +0100 Subject: [PATCH 7/8] reorder --- check_process | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/check_process b/check_process index 3839f0d..78fc26a 100644 --- a/check_process +++ b/check_process @@ -3,9 +3,9 @@ ; Manifest domain="domain.tld" path="/path" + is_public=1 max_file_size=100 use_ldap=0 - is_public=1 ; Checks pkg_linter=1 setup_sub_dir=1 From 3f41fa2f5f2b17ad1881bc068f053d9aa8283e09 Mon Sep 17 00:00:00 2001 From: Yunohost-Bot <> Date: Wed, 2 Feb 2022 00:44:41 +0000 Subject: [PATCH 8/8] Auto-update README --- README.md | 2 +- README_fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index bba031d..042169b 100644 --- a/README.md +++ b/README.md @@ -23,7 +23,7 @@ The administrator of the Lufi instance you use will not be able to see what is i The encryption key part of the URL is a anchor (Cf. [Fragment Identifier](https://en.wikipedia.org/wiki/Fragment_identifier)), that means this part is only processed client-side and does not reach the server. :-) -**Shipped version:** 0.05.16~ynh1 +**Shipped version:** 0.05.16~ynh2 **Demo:** https://demo.lufi.io/ diff --git a/README_fr.md b/README_fr.md index 4eed290..9f2d864 100644 --- a/README_fr.md +++ b/README_fr.md @@ -19,7 +19,7 @@ The administrator of the Lufi instance you use will not be able to see what is i The encryption key part of the URL is a anchor (Cf. [Fragment Identifier](https://en.wikipedia.org/wiki/Fragment_identifier)), that means this part is only processed client-side and does not reach the server. :-) -**Version incluse :** 0.05.16~ynh1 +**Version incluse :** 0.05.16~ynh2 **Démo :** https://demo.lufi.io/