From d1a1e67008d0838257528344d56b285ad7a39f34 Mon Sep 17 00:00:00 2001
From: yalh76 <yalh@yahoo.com>
Date: Sat, 23 Mar 2019 02:58:59 +0100
Subject: [PATCH] fix key for upgrade

---
 conf/.env.production.sample | 21 +++++++++++----------
 scripts/install             | 17 ++++++++++++++---
 scripts/upgrade             | 27 ++++++++++++++++++++++++---
 3 files changed, 49 insertions(+), 16 deletions(-)

diff --git a/conf/.env.production.sample b/conf/.env.production.sample
index 68249e1..6606352 100644
--- a/conf/.env.production.sample
+++ b/conf/.env.production.sample
@@ -36,6 +36,17 @@ LOCAL_DOMAIN=__DOMAIN__
 SECRET_KEY_BASE=__SECRET_KEY_BASE__
 OTP_SECRET=__OTP_SECRET__
 
+# VAPID keys (used for push notifications
+# You can generate the keys using the following command (first is the private key, second is the public one)
+# You should only generate this once per instance. If you later decide to change it, all push subscription will
+# be invalidated, requiring the users to access the website again to resubscribe.
+#
+# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
+#
+# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
+VAPID_PRIVATE_KEY=__VAPID_PRIVATE_KEY__
+VAPID_PUBLIC_KEY=__VAPID_PUBLIC_KEY__
+
 # Registrations
 # Single user mode will disable registrations and redirect frontpage to the first profile
 # SINGLE_USER_MODE=true
@@ -219,13 +230,3 @@ LDAP_UID=uid
 # http_proxy=http://gateway.local:8118
 # Access control for hidden service.
 # ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
-
-
-# VAPID keys (used for push notifications
-# You can generate the keys using the following command (first is the private key, second is the public one)
-# You should only generate this once per instance. If you later decide to change it, all push subscription will
-# be invalidated, requiring the users to access the website again to resubscribe.
-#
-# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
-#
-# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
diff --git a/scripts/install b/scripts/install
index bc2229c..2d43ce7 100644
--- a/scripts/install
+++ b/scripts/install
@@ -181,8 +181,8 @@ ynh_replace_string "__OTP_SECRET__" "$otp_secret" "$final_path/live/.env.product
 ynh_app_setting_set "$app" otp_secret "$otp_secret"
 
 ldap_user="${app}ldap"
-ldap_password=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128)
-yunohost user create username -f $ldap_user -l $ldap_user -m $app@$domain -p $ldap_password -q 0
+ldap_password=$(head -n32 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c32)
+yunohost user create $ldap_user -f $ldap_user -l $ldap_user -m $app@$domain -p $ldap_password -q 0
 ynh_replace_string "__LDAP_USER__" "$ldap_user"        "${final_path}/live/.env.production"
 ynh_replace_string "__LDAP_PASSWORD__" "$ldap_password"        "${final_path}/live/.env.production"
 ynh_app_setting_set "$app" ldap_user "$ldap_user"
@@ -202,13 +202,24 @@ pushd "$final_path/live"
 	sudo -u "$app" echo "SAFETY_ASSURED=1">> .env.production
 	sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails db:migrate --quiet
 	sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails assets:precompile --quiet
-	sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rake mastodon:webpush:generate_vapid_key >> "${final_path}/live/.env.production"
+	sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt
 	sudo -u "$app" env PATH=$PATH RAILS_ENV=production bin/tootctl accounts create "$admin" --email="$admin_mail" --confirmed --role=admin > acc.txt
 popd
 
 admin_pass=$( tail -1 $final_path/live/acc.txt | head -1 | cut -c 15- )
 ynh_secure_remove "$final_path/live/acc.txt"
 
+vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K\w+" "$final_path/live/key.txt")
+vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K\w+" "$final_path/live/key.txt")
+
+ynh_replace_string "__VAPID_PRIVATE_KEY__" "$vapid_private_key"        "${final_path}/live/.env.production"
+ynh_replace_string "__VAPID_PUBLIC_KEY__" "$vapid_public_key"        "${final_path}/live/.env.production"
+
+ynh_app_setting_set "$app" vapid_private_key "$vapid_private_key"
+ynh_app_setting_set "$app" vapid_public_key "$vapid_public_key"
+
+ynh_secure_remove "$final_path/live/key.txt"
+
 #=================================================
 # SETUP CRON JOB FOR REMOVING CACHE
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index fbe9ec7..c906570 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -36,6 +36,8 @@ secret_key_base=$(ynh_app_setting_get "$app" secret_key_base)
 otp_secret=$(ynh_app_setting_get "$app" otp_secret)
 ldap_user=$(ynh_app_setting_get "$app" ldap_user)
 ldap_password=$(ynh_app_setting_get "$app" ldap_password)
+vapid_private_key=$(ynh_app_setting_get "$app" vapid_private_key)
+vapid_public_key=$(ynh_app_setting_get "$app" vapid_public_key)
 
 #=================================================
 # ENSURE DOWNWARD COMPATIBILITY
@@ -71,19 +73,28 @@ fi
 
 # If paperclip_secret doesn't exist, retrieve it or create it
 if [[ -z "$paperclip_secret" ]]; then
-		paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128)
+	paperclip_secret=$(grep -oP "PAPERCLIP_SECRET=\K\w+" test)
+	if [[ -z "$paperclip_secret" ]]; then
+	    paperclip_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128)
+	fi
 	ynh_app_setting_set "$app" paperclip_secret "$paperclip_secret"
 fi
 
 # If secret_key_base doesn't exist, retrieve it or create it
 if [[ -z "$secret_key_base" ]]; then
-	secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128)
+	secret_key_base=$(grep -oP "SECRET_KEY_BASE=\K\w+" test)
+	if [[ -z "$secret_key_base" ]]; then
+	    secret_key_base=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128)
+	fi
 	ynh_app_setting_set "$app" secret_key_base "$secret_key_base"
 fi
 
 # If otp_secret doesn't exist, retrieve it or create it
 if [[ -z "$otp_secret" ]]; then
-	otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128)
+	otp_secret=$(grep -oP "OTP_SECRET=\K\w+" test)
+	if [[ -z "$otp_secret" ]]; then
+	    otp_secret=$(head -n128 /dev/urandom | tail -n +1 | tr -dc -d 'a-z0-9' | head -c128)
+	fi
 	ynh_app_setting_set "$app" otp_secret "$otp_secret"
 fi
 
@@ -234,6 +245,16 @@ pushd "$final_path/live"
         sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rails db:migrate
 popd
 
+# If vapid_private_key doesn't exist, retrieve it or create it
+if [[ -z "$vapid_private_key" ]]; then
+	sudo -u "$app" env PATH=$PATH RAILS_ENV=production /opt/rbenv/versions/2.6.0/bin/bundle exec rake mastodon:webpush:generate_vapid_key > key.txt
+	vapid_private_key=$(grep -oP "VAPID_PRIVATE_KEY=\K\w+" "$final_path/live/key.txt")
+	vapid_public_key=$(grep -oP "VAPID_PUBLIC_KEY=\K\w+" "$final_path/live/key.txt")
+	ynh_app_setting_set "$app" vapid_private_key "$vapid_private_key"
+	ynh_app_setting_set "$app" vapid_public_key "$vapid_public_key"
+	ynh_secure_remove "$final_path/live/key.txt"
+fi
+
 # Recalculate and store the checksum of the file for the next upgrade.
 ynh_store_file_checksum "${final_path}/live/.env.production"