From 650d69514d9fe8a87bb3f58b05307ebb9b8ccd1a Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 15 May 2019 18:35:57 +0200 Subject: [PATCH] is_public was a lie. Only reverse proxy can be private. --- manifest.json | 22 +++++-------------- scripts/install | 15 ++++--------- scripts/restore | 7 +----- scripts/upgrade | 57 +++++++++++++++++++++++++++++++++---------------- 4 files changed, 49 insertions(+), 52 deletions(-) diff --git a/manifest.json b/manifest.json index 986b43c..8f99f0c 100644 --- a/manifest.json +++ b/manifest.json @@ -51,19 +51,6 @@ "example": "http://127.0.0.1:8080/app/", "default": "http://127.0.0.1" }, - { - "name": "is_public", - "type": "boolean", - "ask": { - "en": "Is it a public redirect?", - "fr": "Est-ce une redirection publique ?" - }, - "help": { - "en": "A private redirection will only be effective for logged-in users.", - "fr": "Une redirection privée ne fonctionnera que pour les utilisateurs identifiés." - }, - "default": false - }, { "name": "redirect_type", "ask": { @@ -71,11 +58,12 @@ "fr": "Type de redirection" }, "choices": { - "visible_302" : "Visible (302, temporary redirect)", - "visible_301" : "Visible (301, permanent redirect)", - "proxy": "Proxy, invisible (Nginx proxy_pass)" + "public_302" : "Visible redirect (302, temporary). Everybody will be able to access it.", + "public_301" : "Visible redirect (301, permanent). Everybody will be able to access it.", + "public_proxy": "Proxy, invisible (nginx proxy_pass). Everybody will be able to access it.", + "private_proxy": "Proxy, invisible (nginx proxy_pass). Only accessible for allowed users." }, - "default": "visible_302" + "default": "public_302" } ] } diff --git a/scripts/install b/scripts/install index ebf4b77..c108ea5 100644 --- a/scripts/install +++ b/scripts/install @@ -35,7 +35,6 @@ app=$YNH_APP_INSTANCE_NAME # Retrieve arguments domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -is_public=$YNH_APP_ARG_IS_PUBLIC redirect_type=$YNH_APP_ARG_REDIRECT_TYPE redirect_path=$YNH_APP_ARG_REDIRECT_PATH @@ -47,7 +46,6 @@ url_regex='(https?|ftp|file)://[-A-Za-z0-9\+&@#/%?=~_|!:,.;]*[-A-Za-z0-9\+&@#/%= [[ ! $redirect_path =~ $url_regex ]] && ynh_die "Invalid destination: $redirect_path" 1 # Save extra settings -ynh_app_setting_set $app is_public "$is_public" ynh_app_setting_set $app redirect_type "$redirect_type" ynh_app_setting_set $app redirect_path "$redirect_path" @@ -56,15 +54,15 @@ for FILE in $(ls ../conf/nginx-*.conf) do ynh_replace_string "YNH_LOCATION" "$path_url" $FILE done -if [ "$redirect_type" = "visible_302" ]; +if [ "$redirect_type" = "public_302" ]; then ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-302.conf cp ../conf/nginx-visible-302.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "visible_301" ]; +elif [ "$redirect_type" = "public_301" ]; then ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-301.conf cp ../conf/nginx-visible-301.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "proxy" ]; +elif [ "$redirect_type" = "public_proxy" ] || [ "$redirect_type" = "private_proxy" ]; then ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-proxy.conf cp ../conf/nginx-proxy.conf /etc/nginx/conf.d/$domain.d/$app.conf @@ -74,17 +72,12 @@ fi # SETUP SSOWAT #================================================= -if [ $is_public -eq 0 ] -then # Remove the public access - ynh_app_setting_delete "$app" skipped_uris -fi # Make app public if necessary -if [ $is_public -eq 1 ] +if [ "$redirect_type" != "private_proxy" ] then # unprotected_uris allows SSO credentials to be passed anyway. ynh_app_setting_set "$app" unprotected_uris "/" fi - # Reload Nginx and regenerate SSOwat conf service nginx reload diff --git a/scripts/restore b/scripts/restore index 58d11c4..a5fbbe3 100644 --- a/scripts/restore +++ b/scripts/restore @@ -40,7 +40,6 @@ app=$YNH_APP_INSTANCE_NAME # Retrieve arguments domain=$(ynh_app_setting_get "$app" domain) path_url=$(ynh_app_setting_get "$app" path) -is_public=$(ynh_app_setting_get "$app" is_public) redirect_type=$(ynh_app_setting_get "$app" redirect_type) redirect_path=$(ynh_app_setting_get "$app" redirect_path) @@ -59,12 +58,8 @@ cp -a ./conf/nginx.conf "$NGINX_CONF" # SETUP SSOWAT #================================================= -if [ "$is_public" -eq 0 ] -then # Remove the public access - ynh_app_setting_delete "$app" skipped_uris -fi # Make app public if necessary -if [ "$is_public" -eq 1 ] +if [ "$redirect_type" != "private_proxy" ] then # unprotected_uris allows SSO credentials to be passed anyway. ynh_app_setting_set "$app" unprotected_uris "/" diff --git a/scripts/upgrade b/scripts/upgrade index a9c3915..d8753ab 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -32,7 +32,6 @@ app=$YNH_APP_INSTANCE_NAME # Retrieve arguments domain=$(ynh_app_setting_get "$app" domain) path_url=$(ynh_app_setting_get "$app" path) -is_public=$(ynh_app_setting_get "$app" is_public) redirect_type=$(ynh_app_setting_get "$app" redirect_type) redirect_path=$(ynh_app_setting_get "$app" redirect_path) @@ -41,14 +40,6 @@ redirect_path=$(ynh_app_setting_get "$app" redirect_path) #================================================= # Fix is_public as a boolean value -if [ "$is_public" = "Yes" ]; then - ynh_app_setting_set $app is_public 1 - is_public=1 -elif [ "$is_public" = "No" ]; then - ynh_app_setting_set $app is_public 0 - is_public=0 -fi - # Default value for redirect_type if upgrading from https://github.com/scith/redirect_ynh if [ -z "$redirect_type" ]; then @@ -56,6 +47,40 @@ then ynh_app_setting_set $app 'redirect_type' $redirect_type fi +# Migrate away from old stuff with 'is_public' and old redirect type names +is_public=$(ynh_app_setting_get "$app" is_public) +if [ -n "$is_public" ] +then + if [ "$is_public" = "Yes" ]; then + is_public=1 + elif [ "$is_public" = "No" ]; then + is_public=0 + fi + + if [ "$is_public" = "0" ] && [ "$redirect_type" != "proxy" ]; then + echo "WARNING: You previously had a 'supposedly' private 301 or 302 redirection ... but it was found that it was public all along and it is not easy to create such a private redirection. Your 301 or 302 redirection will be re-flagged as public..." >&2 + is_public=1 + fi + + if [ "$redirect_type" == "proxy" ] && [ "$is_public" = "1" ] + then + redirect_type="public_proxy" + elif [ "$redirect_type" == "proxy" ] && [ "$is_public" = "0" ] + then + redirect_type="private_proxy" + elif [ "$redirect_type" == "visible_302" ] + then + redirect_type="public_302" + elif [ "$redirect_type" == "visible_301" ] + then + redirect_type="public_301" + fi + + ynh_app_setting_set $app 'redirect_type' $redirect_type + ynh_app_setting_set $app 'is_public' +fi + + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -78,15 +103,15 @@ for FILE in $(ls ../conf/nginx-*.conf) do ynh_replace_string "YNH_LOCATION" "$path_url" $FILE done -if [ "$redirect_type" = "visible_302" ]; +if [ "$redirect_type" = "public_302" ]; then ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-302.conf cp ../conf/nginx-visible-302.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "visible_301" ]; +elif [ "$redirect_type" = "public_301" ]; then ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-visible-301.conf cp ../conf/nginx-visible-301.conf /etc/nginx/conf.d/$domain.d/$app.conf -elif [ "$redirect_type" = "proxy" ]; +elif [ "$redirect_type" = "public_proxy" ] || [ "$redirect_type" = "private_proxy" ]; then ynh_replace_string "YNH_REDIRECT_PATH" "$redirect_path" ../conf/nginx-proxy.conf cp ../conf/nginx-proxy.conf /etc/nginx/conf.d/$domain.d/$app.conf @@ -96,15 +121,11 @@ fi # SETUP SSOWAT #================================================= -if [ "$is_public" -eq 0 ] -then # Remove the public access - ynh_app_setting_delete "$app" skipped_uris -fi # Make app public if necessary -if [ "$is_public" -eq 1 ] +if [ "$redirect_type" != "private_proxy" ] then # unprotected_uris allows SSO credentials to be passed anyway. - ynh_app_setting_set "$app" unprotected_uris -v "/" + ynh_app_setting_set "$app" unprotected_uris "/" fi # Reload Nginx and regenerate SSOwat conf