From 5f2ee05c4cca61a4e44b75fe114a6efd466b64ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Tue, 15 Dec 2020 22:25:29 +0100 Subject: [PATCH 01/11] Implement group permission support and use new helper for config file --- conf/add_sso_conf.py | 28 ----- conf/homeserver.yaml | 8 +- conf/server_name.conf | 4 +- conf/turnserver.conf | 6 +- manifest.json | 4 +- scripts/_common.sh | 1 - scripts/change_url | 60 +++------- scripts/config | 51 +++----- scripts/install | 87 ++++---------- .../remove_sso_conf_persistent.py | 6 +- scripts/restore | 31 +---- scripts/upgrade | 110 ++++++------------ 12 files changed, 112 insertions(+), 284 deletions(-) delete mode 100644 conf/add_sso_conf.py rename conf/remove_sso_conf.py => scripts/remove_sso_conf_persistent.py (62%) diff --git a/conf/add_sso_conf.py b/conf/add_sso_conf.py deleted file mode 100644 index f6b7d41..0000000 --- a/conf/add_sso_conf.py +++ /dev/null @@ -1,28 +0,0 @@ -import json -import sys - -domain = sys.argv[1] -server_name = sys.argv[2] - -with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile: - data = json.load(jsonFile) - - if "skipped_urls" not in data: - data["skipped_urls"] = [] - if "protected_urls" not in data: - data["protected_urls"] = [] - - # Remove entry without the domain specified - if "/_matrix" in data["skipped_urls"]: - data["skipped_urls"].remove("/_matrix") - - if domain + "/_matrix" not in data["skipped_urls"]: - data["skipped_urls"].append(domain + "/_matrix") - if server_name + "/.well-known/matrix/" not in data["skipped_urls"]: - data["skipped_urls"].append(server_name + "/.well-known/matrix/") - - if domain + "/_matrix/cas_server.php/login" not in data["protected_urls"]: - data["protected_urls"].append(domain + "/_matrix/cas_server.php/login") - -with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile: - jsonFile.write(json.dumps(data, indent=4, sort_keys=True)) diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml index abb6e15..b8d1823 100644 --- a/conf/homeserver.yaml +++ b/conf/homeserver.yaml @@ -184,7 +184,7 @@ listeners: # will also need to give Synapse a TLS key and certificate: see the TLS section # below.) # - - port: __TLS_PORT__ + - port: __TURNSERVER_TLS_PORT__ type: http tls: true resources: @@ -768,7 +768,7 @@ turn_uris: [ "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=udp", "turn:__DO # The shared secret used to compute passwords for the TURN server # -turn_shared_secret: "__TURNPWD__" +turn_shared_secret: "__TURNSERVER_PWD__" # The Username and password if the TURN server needs them and # does not use a token @@ -884,7 +884,7 @@ enable_registration: __ALLOWED_ACCESS__ # If set, allows registration of standard or admin accounts by anyone who # has the shared secret, even if registration is otherwise disabled. # -registration_shared_secret: "__REGISTRATION_SECRET__" +registration_shared_secret: "__REGISTRATION_SHARED_SECRET__" # Set the number of bcrypt rounds used to generate password hash. # Larger numbers increase the work factor needed to generate the hash. @@ -1030,7 +1030,7 @@ report_stats: __REPORT_STATS__ # the registration_shared_secret is used, if one is given; otherwise, # a secret key is derived from the signing key. # -macaroon_secret_key: "__MACAROON_SECRET_KEY__" +__MACAROON_SECRET_KEY_PARAM__ # a secret which is used to calculate HMACs for form values, to stop # falsification of values. Must be specified for the User Consent diff --git a/conf/server_name.conf b/conf/server_name.conf index 783927b..4cb77de 100644 --- a/conf/server_name.conf +++ b/conf/server_name.conf @@ -1,5 +1,5 @@ location /.well-known/matrix/server { - return 200 '{"m.server": "__DOMAIN__:__PORT__"}'; + return 200 '{"m.server": "__DOMAIN__:__SYNAPSE_TLS_PORT__"}'; add_header Content-Type application/json; add_header Access-Control-Allow-Origin '*'; } @@ -7,7 +7,7 @@ location /.well-known/matrix/server { location /.well-known/matrix/client { return 200 '{ "m.homeserver": { "base_url": "https://__DOMAIN__" }, - "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER_ADDR__"}, + "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"}, "im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT__ } }'; add_header Content-Type application/json; diff --git a/conf/turnserver.conf b/conf/turnserver.conf index 7483e7d..3d3440f 100644 --- a/conf/turnserver.conf +++ b/conf/turnserver.conf @@ -1,9 +1,9 @@ lt-cred-mech use-auth-secret -static-auth-secret=__TURNPWD__ +static-auth-secret=__TURNSERVER_PWD__ realm=__DOMAIN__ -tls-listening-port=__TLS_PORT__ +tls-listening-port=__TURNSERVER_TLS_PORT__ alt-tls-listening-port=__TLS_ALT_PORT__ min-port=49153 max-port=49193 @@ -26,3 +26,5 @@ no-cli log-file=/var/log/matrix-__APP__/turnserver.log pidfile=/run/coturn-__APP__/turnserver.pid simple-log + +__TURN_EXTERNAL_IP__ diff --git a/manifest.json b/manifest.json index 3b48db4..e943ad0 100644 --- a/manifest.json +++ b/manifest.json @@ -6,7 +6,7 @@ "en": "Instant messaging server which uses Matrix", "fr": "Un serveur de messagerie instantané basé sur Matrix" }, - "version": "1.25.0~ynh1", + "version": "1.25.0~ynh2", "url": "http://matrix.org", "license": "Apache-2.0", "maintainer": { @@ -14,7 +14,7 @@ "email": "josue@tille.ch" }, "requirements": { - "yunohost": ">= 3.7.0.4" + "yunohost": ">= 4.1" }, "multi_instance": true, "services": [ diff --git a/scripts/_common.sh b/scripts/_common.sh index f983ca9..4e6bd6f 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -32,7 +32,6 @@ install_sources() { test -e $final_path/bin/python3 || python3 -m venv $final_path # Install synapse in virtualenv - ynh_replace_string --match_string=__FINAL_PATH__ --replace_string=$final_path --target_file=$final_path/bin/activate # We set all necessary environement variable to create a python virtualenvironnement. set +u; diff --git a/scripts/change_url b/scripts/change_url index 51fde8e..8fddd7d 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -79,12 +79,7 @@ ynh_store_file_checksum --file "/etc/nginx/conf.d/$domain.d/$app.conf" # Create .well-known redirection for access by federation if yunohost --output-as plain domain list | grep -q "^$server_name$" then - cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf - ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" + ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi #================================================= @@ -96,59 +91,40 @@ ynh_script_progression --message="Updating synapse config..." --weight=2 # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # For any update do it in all files -homeserver_config_path="/etc/matrix-$app/homeserver.yaml" - -ynh_backup_if_checksum_is_different --file="$homeserver_config_path" -ynh_backup_if_checksum_is_different --file=/etc/matrix-$app/log.yaml - -cp ../conf/homeserver.yaml "$homeserver_config_path" -cp ../conf/log.yaml /etc/matrix-$app/log.yaml - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path" -ynh_print_OFF -ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path" if [ -z $macaroon_secret_key ]; then # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! # So for the old install we just leave this as it is. And for the new install we use a real macaroon. - ynh_replace_special_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path" + macaroon_secret_key_param='# macaroon_secret_key: ""' else - ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" + macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"' fi -ynh_print_ON - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml" if [ $is_public -eq 0 ] then - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" + allowed_access=False + sso_enabled=True else - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" + allowed_access=True + sso_enabled=False fi -ynh_store_file_checksum --file="$homeserver_config_path" -ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml" +ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" +ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" #================================================= -# SETUP SSOWAT +# SETUP PERMISSIONS #================================================= -python3 ../conf/remove_sso_conf.py $domain $server_name -python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32" +ynh_script_progression --message="Configuring permissions..." --weight=1 + +ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true +ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true + +ynh_permission_update --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ + --label="Server access for client apps." --show_tile=false \ + --auth_header=false --protected=true #================================================= # RELOAD SERVICES diff --git a/scripts/config b/scripts/config index a52171e..6c1028c 100644 --- a/scripts/config +++ b/scripts/config @@ -114,53 +114,32 @@ apply_config() { # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # For any update do it in all files - homeserver_config_path="/etc/matrix-$app/homeserver.yaml" - - ynh_backup_if_checksum_is_different "$homeserver_config_path" - - cp ../conf/homeserver.yaml "$homeserver_config_path" - - ynh_replace_string --match_string __APP__ --replace_string $app --target_file "$homeserver_config_path" - ynh_replace_string --match_string __DOMAIN__ --replace_string $domain --target_file "$homeserver_config_path" - ynh_replace_string --match_string __SERVER_NAME__ --replace_string $server_name --target_file "$homeserver_config_path" - ynh_replace_string --match_string __SYNAPSE_DB_USER__ --replace_string $synapse_db_user --target_file "$homeserver_config_path" - ynh_replace_special_string --match_string __SYNAPSE_DB_PWD__ --replace_string $synapse_db_pwd --target_file "$homeserver_config_path" - ynh_replace_string --match_string __PORT__ --replace_string $port --target_file "$homeserver_config_path" - ynh_replace_string --match_string __TLS_PORT__ --replace_string $synapse_tls_port --target_file "$homeserver_config_path" - ynh_replace_string --match_string __TURNSERVER_TLS_PORT__ --replace_string $turnserver_tls_port --target_file "$homeserver_config_path" - ynh_replace_special_string --match_string __TURNPWD__ --replace_string $turnserver_pwd --target_file "$homeserver_config_path" - ynh_replace_special_string --match_string __REGISTRATION_SECRET__ --replace_string "$registration_shared_secret" --target_file "$homeserver_config_path" - ynh_replace_special_string --match_string __FORM_SECRET__ --replace_string "$form_secret" --target_file "$homeserver_config_path" - ynh_replace_string --match_string __REPORT_STATS__ --replace_string "$report_stats" --target_file "$homeserver_config_path" - ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path" - if [ -n $macaroon_secret_key ]; then - # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. - # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! - # So for the old install we just leave this as it is. And for the new install we use a real macaroon. - # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ - ynh_replace_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path" + if [ -z $macaroon_secret_key ]; then + # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. + # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ + # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! + # So for the old install we just leave this as it is. And for the new install we use a real macaroon. + macaroon_secret_key_param='# macaroon_secret_key: ""' else - ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" + macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"' fi if [ $is_public -eq 0 ] then - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" + allowed_access=False + sso_enabled=True else - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" + allowed_access=True + sso_enabled=False fi + ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" + ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" + # Create .well-known redirection for access by federation if yunohost --output-as plain domain list | grep -q "^$server_name$" then - cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf - ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" + ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi ynh_store_file_checksum --file "$homeserver_config_path" diff --git a/scripts/install b/scripts/install index ceaf927..d625497 100644 --- a/scripts/install +++ b/scripts/install @@ -256,12 +256,7 @@ ynh_add_fpm_config # Create .well-known redirection for access by federation if yunohost --output-as plain domain list | grep -q "^$server_name$" then - cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf - ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" + ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi # Create a dedicated nginx config @@ -273,51 +268,27 @@ ynh_add_nginx_config app ynh_script_progression --message="Configuring synapse..." --weight=2 # Find password for turnserver and database -ynh_print_OFF turnserver_pwd=$(ynh_string_random --length=30) ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd -ynh_print_ON # Configure Synapse # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # For any update do it in all files -homeserver_config_path="/etc/matrix-$app/homeserver.yaml" - -cp ../conf/homeserver.yaml "$homeserver_config_path" -cp ../conf/log.yaml /etc/matrix-$app/log.yaml - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path" -ynh_print_OFF -ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" -ynh_print_ON - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml" +macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"' if [ $is_public -eq 0 ] then - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" + allowed_access=False + sso_enabled=True else - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" + allowed_access=True + sso_enabled=False fi -ynh_store_file_checksum --file="$homeserver_config_path" -ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml" +ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" +ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" #================================================= # SET COTURN CONFIG @@ -327,35 +298,25 @@ ynh_script_progression --message="Configuring coturn..." --weight=1 # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files -coturn_config_path="/etc/matrix-$app/coturn.conf" - -cp ../conf/turnserver.conf "$coturn_config_path" - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path" -ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path" -ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path" -ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path" -ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path" -ynh_print_OFF -ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path" -ynh_print_ON - # Get public IP and set as external IP for coturn # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 public_ip4="$(curl ip.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true +turn_external_ip="" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then - echo "external-ip=$public_ip4" >> "$coturn_config_path" + turn_external_ip+=" +external-ip=$public_ip4" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then - echo "external-ip=$public_ip6" >> "$coturn_config_path" + turn_external_ip+=" +external-ip=$public_ip6" fi -ynh_store_file_checksum --file="$coturn_config_path" +ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" #================================================= # SETUP LOGROTATE @@ -371,22 +332,22 @@ ynh_use_logrotate --logfile "/var/log/matrix-$app" # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files -cp ../sources/Coturn_config_rotate.sh $final_path/ -cp ../sources/update_synapse_for_appservice.sh $final_path/ -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh" -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/update_synapse_for_appservice.sh" +ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh" +ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh" #================================================= # GENERIC FINALIZATION #================================================= -# SETUP SSOWAT +# SETUP PERMISSIONS #================================================= -ynh_script_progression --message="Configuring SSOwat..." --weight=1 +ynh_script_progression --message="Configuring permissions..." --weight=1 -# Open access to server without a button the home -# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls". -python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32" -ynh_permission_url --permission main --url $domain/_matrix/cas_server.php/login +ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true +ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true + +ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ + --label="Server access for client apps." --show_tile=false \ + --auth_header=false --protected=true #================================================= # UPDATE HOOKS diff --git a/conf/remove_sso_conf.py b/scripts/remove_sso_conf_persistent.py similarity index 62% rename from conf/remove_sso_conf.py rename to scripts/remove_sso_conf_persistent.py index d1aca96..8708020 100644 --- a/conf/remove_sso_conf.py +++ b/scripts/remove_sso_conf_persistent.py @@ -7,9 +7,9 @@ server_name = sys.argv[2] with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile: data = json.load(jsonFile) - data["skipped_urls"].remove(domain + "/_matrix") - data["skipped_urls"].remove(server_name + "/.well-known/matrix/") - data["protected_urls"].remove(domain + "/_matrix/cas_server.php/login") + data["skipped_urls"].remove("/_matrix") + data["skipped_urls"].remove("/.well-known/matrix/") + data["protected_urls"].remove("/_matrix/cas_server.php/login") with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile: jsonFile.write(json.dumps(data, indent=4, sort_keys=True)) diff --git a/scripts/restore b/scripts/restore index 9b27ca4..c3517bb 100644 --- a/scripts/restore +++ b/scripts/restore @@ -172,35 +172,25 @@ ynh_print_ON # WARNING : these commands are used in INSTALL, UPGRADE # For any update do it in all files -coturn_config_path="/etc/matrix-$app/coturn.conf" - -cp ../settings/conf/turnserver.conf "$coturn_config_path" - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path" -ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path" -ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path" -ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path" -ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path" -ynh_print_OFF -ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path" -ynh_print_ON - # Get public IP and set as external IP for coturn # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 public_ip4="$(curl ip.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true +turn_external_ip="" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then - echo "external-ip=$public_ip4" >> "$coturn_config_path" + turn_external_ip+=" +external-ip=$public_ip4" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then - echo "external-ip=$public_ip6" >> "$coturn_config_path" + turn_external_ip+=" +external-ip=$public_ip6" fi -ynh_store_file_checksum --file="$coturn_config_path" +ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" #================================================= # OPEN THE PORT @@ -211,15 +201,6 @@ ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Configuring SSOwat..." - -# Open access to server without a button the home -# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls". -python3 ../settings/conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32" - #================================================= # SETUP LOGROTATE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index b3682fd..eb74264 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -51,15 +51,10 @@ synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" upstream_version=$(ynh_app_upstream_version) +upgrade_type=$(ynh_check_app_version_changed) final_www_path="/var/www/$app" data_path="/home/yunohost.app/matrix-$app" -#================================================= -# CHECK VERSION -#================================================= - -upgrade_type=$(ynh_check_app_version_changed) - #================================================= # ENSURE DOWNWARD COMPATIBILITY #================================================= @@ -221,52 +216,27 @@ ynh_script_progression --message="Updating synapse config..." --weight=2 # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # For any update do it in all files -homeserver_config_path="/etc/matrix-$app/homeserver.yaml" - -ynh_backup_if_checksum_is_different --file="$homeserver_config_path" -ynh_backup_if_checksum_is_different --file=/etc/matrix-$app/log.yaml - -cp ../conf/homeserver.yaml "$homeserver_config_path" -cp ../conf/log.yaml /etc/matrix-$app/log.yaml - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path" -ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path" -ynh_print_OFF -ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path" -ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path" if [ -z $macaroon_secret_key ]; then # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! # So for the old install we just leave this as it is. And for the new install we use a real macaroon. - ynh_replace_special_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path" + macaroon_secret_key_param='# macaroon_secret_key: ""' else - ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" + macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"' fi -ynh_print_ON - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml" if [ $is_public -eq 0 ] then - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" + allowed_access=False + sso_enabled=True else - ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" - ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" + allowed_access=True + sso_enabled=False fi -ynh_store_file_checksum --file="$homeserver_config_path" -ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml" +ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml" +ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" #================================================= # MIGRATION 2 : MULTINSTANCE SUPPORT @@ -283,10 +253,6 @@ then # Disable default config for turnserver and create a new service systemctl stop coturn.service - # Set by default the system config for coturn - echo "" > /etc/turnserver.conf - ynh_replace_string --match_string="TURNSERVER_ENABLED=1" --replace_string="TURNSERVER_ENABLED=0" --target_file=/etc/default/coturn - # Set a port for each service in turnserver turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1))) cli_port=$(ynh_find_port --port=5766) @@ -347,13 +313,7 @@ ynh_add_fpm_config # Create .well-known redirection for access by federation if yunohost --output-as plain domain list | grep -q "^$server_name$" then - ynh_backup_if_checksum_is_different --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf - ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" - ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" + ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" fi # Create a dedicated nginx config @@ -369,35 +329,25 @@ ynh_script_progression --message="Updating coturn config..." --weight=1 # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files -coturn_config_path="/etc/matrix-$app/coturn.conf" - -cp ../conf/turnserver.conf "$coturn_config_path" - -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path" -ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path" -ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path" -ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path" -ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path" -ynh_print_OFF -ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path" -ynh_print_ON - # Get public IP and set as external IP for coturn # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 public_ip4="$(curl ip.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true +turn_external_ip="" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then - echo "external-ip=$public_ip4" >> "$coturn_config_path" + turn_external_ip+=" +external-ip=$public_ip4" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then - echo "external-ip=$public_ip6" >> "$coturn_config_path" + turn_external_ip+=" +external-ip=$public_ip6" fi -ynh_store_file_checksum --file="$coturn_config_path" +ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" #================================================= # ADD SCRIPT FOR COTURN CRON AND APP SERVICE @@ -406,10 +356,8 @@ ynh_store_file_checksum --file="$coturn_config_path" # WARNING : theses command are used in INSTALL, UPGRADE # For any update do it in all files -cp ../sources/Coturn_config_rotate.sh $final_path/ -cp ../sources/update_synapse_for_appservice.sh $final_path/ -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh" -ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/update_synapse_for_appservice.sh" +ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh" +ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh" # Ensure app-service folder has exists and the config file exit (Migration) mkdir -p /etc/matrix-$app/app-service @@ -447,14 +395,24 @@ ynh_add_fail2ban_config --use_template #================================================= # GENERIC FINALIZATION #================================================= -# SETUP SSOWAT +# SETUP PERMISSIONS #================================================= -ynh_script_progression --message="Configuring SSOwat..." --weight=1 +ynh_script_progression --message="Configuring permissions..." --weight=1 -# Open access to server without a button the home -# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls". -python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32" -ynh_permission_url --permission main --url $domain/_matrix/cas_server.php/login +ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true +ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true + +if !ynh_permission_exists --permission=server_api; then + ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ + --label="Server access for client apps." --show_tile=false \ + --auth_header=false --protected=true + python3 remove_sso_conf_persistent.py $domain $server_name \ + || ynh_print_warn --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually." +else + ynh_permission_update --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ + --label="Server access for client apps." --show_tile=false \ + --auth_header=false --protected=true +fi #================================================= # SECURE FILES AND DIRECTORIES From 6db9afe60cf515634667b45da087dfac918d7cd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Tue, 26 Jan 2021 22:21:02 +0100 Subject: [PATCH 02/11] Improve permissions --- scripts/change_url | 9 ++------- scripts/install | 6 +++--- scripts/upgrade | 11 ++++++----- 3 files changed, 11 insertions(+), 15 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index 8fddd7d..73f3c50 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -118,13 +118,8 @@ ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 - -ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true -ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true - -ynh_permission_update --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ - --label="Server access for client apps." --show_tile=false \ - --auth_header=false --protected=true +ynh_permission_url --permission=server_api --clear_urls +ynh_permission_url --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ #================================================= # RELOAD SERVICES diff --git a/scripts/install b/scripts/install index d625497..54528ab 100644 --- a/scripts/install +++ b/scripts/install @@ -342,11 +342,11 @@ ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destin #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 -ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true +ynh_permission_url --permission=main --url=/_matrix/cas_server.php/login --auth_header=true ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true -ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ - --label="Server access for client apps." --show_tile=false \ +ynh_permission_create --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ + --label="Server access for client apps." --show_tile=false --allowed=visitors \ --auth_header=false --protected=true #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index eb74264..69c02d8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -403,15 +403,16 @@ ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true if !ynh_permission_exists --permission=server_api; then - ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ - --label="Server access for client apps." --show_tile=false \ + ynh_permission_create --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ + --label="Server access for client apps." --show_tile=false --allowed=visitors \ --auth_header=false --protected=true python3 remove_sso_conf_persistent.py $domain $server_name \ || ynh_print_warn --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually." else - ynh_permission_update --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ - --label="Server access for client apps." --show_tile=false \ - --auth_header=false --protected=true + ynh_permission_url --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ + --auth_header=false + ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \ + --protected=true fi #================================================= From b3f27311a771957d7745d86c70151a181fa6aaea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sun, 14 Feb 2021 15:20:07 +0100 Subject: [PATCH 03/11] Update clean persistent scripts --- pull_request_template.md | 12 ------------ scripts/remove_sso_conf_persistent.py | 12 +++++++++--- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/pull_request_template.md b/pull_request_template.md index d97227b..36526ee 100644 --- a/pull_request_template.md +++ b/pull_request_template.md @@ -10,15 +10,3 @@ - [ ] Fix or enhancement tested. - [ ] Upgrade from last version tested. - [ ] Can be reviewed and tested. - -## Validation ---- -*Minor decision* -- **Upgrade previous version** : -- [ ] **Code review** : -- [ ] **Approval (LGTM)** : -- [ ] **Approval (LGTM)** : -- **CI succeeded** : -[![Build Status](https://ci-apps-hq.yunohost.org/jenkins/job/synapse_ynh%20PR-NUM-/badge/icon)](https://ci-apps-hq.yunohost.org/jenkins/job/synapse_ynh%20PR-NUM-/) -*Please replace '-NUM-' in this link by the PR number.* -When the PR is marked as ready to merge, you have to wait for 3 days before really merging it. diff --git a/scripts/remove_sso_conf_persistent.py b/scripts/remove_sso_conf_persistent.py index 8708020..e459ea6 100644 --- a/scripts/remove_sso_conf_persistent.py +++ b/scripts/remove_sso_conf_persistent.py @@ -7,9 +7,15 @@ server_name = sys.argv[2] with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile: data = json.load(jsonFile) - data["skipped_urls"].remove("/_matrix") - data["skipped_urls"].remove("/.well-known/matrix/") - data["protected_urls"].remove("/_matrix/cas_server.php/login") + for domain in ("", sys.argv[1], sys.argv[2]): + for path in ("/_matrix", "/.well-known/matrix/", "/_matrix/cas_server.php/login"): + for l in (data["skipped_urls"], + data["protected_urls"], + data["permissions"]["custom_protected"]["uris"], + data["permissions"]["custom_skipped"]["uris"]): + url = domain + path + while url in l: + l.remove(url) with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile: jsonFile.write(json.dumps(data, indent=4, sort_keys=True)) From 6ccdd95b12d63c5ced1423cd945f9e8b43a35a28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Thu, 18 Feb 2021 09:16:37 +0100 Subject: [PATCH 04/11] Fix template helper --- conf/homeserver.yaml | 2 +- conf/turnserver.conf | 2 +- scripts/backup | 1 + scripts/change_url | 1 + scripts/install | 7 +++---- scripts/remove | 1 + scripts/restore | 23 +++++++++++++---------- scripts/upgrade | 1 + sources/Coturn_config_rotate.sh | 8 ++++---- 9 files changed, 26 insertions(+), 20 deletions(-) diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml index b8d1823..6376607 100644 --- a/conf/homeserver.yaml +++ b/conf/homeserver.yaml @@ -489,7 +489,7 @@ database: args: user: __SYNAPSE_DB_USER__ password: __SYNAPSE_DB_PWD__ - database: matrix___APP__ + database: __SYNAPSE_DB_NAME__ host: localhost cp_min: 5 cp_max: 10 diff --git a/conf/turnserver.conf b/conf/turnserver.conf index 3d3440f..f25071c 100644 --- a/conf/turnserver.conf +++ b/conf/turnserver.conf @@ -4,7 +4,7 @@ static-auth-secret=__TURNSERVER_PWD__ realm=__DOMAIN__ tls-listening-port=__TURNSERVER_TLS_PORT__ -alt-tls-listening-port=__TLS_ALT_PORT__ +alt-tls-listening-port=__TURNSERVER_ALT_TLS_PORT__ min-port=49153 max-port=49193 cli-port=__CLI_PORT__ diff --git a/scripts/backup b/scripts/backup index ffb2ed3..6af787c 100644 --- a/scripts/backup +++ b/scripts/backup @@ -39,6 +39,7 @@ fi synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" +synapse_db_name="matrix_$app" upstream_version=$(ynh_app_upstream_version) final_www_path="/var/www/$app" data_path="/home/yunohost.app/matrix-$app" diff --git a/scripts/change_url b/scripts/change_url index 73f3c50..52aded6 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -46,6 +46,7 @@ ynh_print_ON synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" +synapse_db_name="matrix_$app" upstream_version=$(ynh_app_upstream_version) # Check if the new path stay /_matrix if not exit diff --git a/scripts/install b/scripts/install index 54528ab..a1e1f3d 100644 --- a/scripts/install +++ b/scripts/install @@ -37,6 +37,7 @@ app=$YNH_APP_INSTANCE_NAME synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" +synapse_db_name="matrix_$app" upstream_version=$(ynh_app_upstream_version) report_stats="false" allow_public_rooms="false" @@ -306,14 +307,12 @@ public_ip6="$(curl ipv6.yunohost.org)" || true turn_external_ip="" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then - turn_external_ip+=" -external-ip=$public_ip4" + turn_external_ip+="\nexternal-ip=$public_ip4" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then - turn_external_ip+=" -external-ip=$public_ip6" + turn_external_ip+="\nexternal-ip=$public_ip6" fi ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" diff --git a/scripts/remove b/scripts/remove index 34ed766..eb42eb6 100755 --- a/scripts/remove +++ b/scripts/remove @@ -31,6 +31,7 @@ turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tl synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" +synapse_db_name="matrix_$app" upstream_version=$(ynh_app_upstream_version) final_www_path="/var/www/$app" diff --git a/scripts/restore b/scripts/restore index a6dc022..e11084a 100644 --- a/scripts/restore +++ b/scripts/restore @@ -47,6 +47,7 @@ ynh_print_ON synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" +synapse_db_name="matrix_$app" upstream_version=$(ynh_app_upstream_version) final_www_path="/var/www/$app" data_path="/home/yunohost.app/matrix-$app" @@ -72,16 +73,6 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=70 # For any update do it in all files ynh_install_app_dependencies $dependances -#================================================= -# RECREATE THE DEDICATED USER -#================================================= -ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 - -# Create the dedicated user (if not existing) -ynh_system_user_create --username=$synapse_user --home_dir=$data_path -adduser $synapse_user ssl-cert -adduser turnserver ssl-cert - #================================================= # RESTORE ALL CONFIG AND DATA #================================================= @@ -102,6 +93,18 @@ install_sources ynh_script_progression --message="Reload fail2ban..." --weight=6 ynh_systemd_action --action=restart --service_name=fail2ban +#================================================= +# SPECIFIC RESTORATION +#================================================= +# RECREATE THE DEDICATED USER +#================================================= +ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 + +# Create the dedicated user (if not existing) +ynh_system_user_create --username=$synapse_user --home_dir=$data_path +adduser $synapse_user ssl-cert +adduser turnserver ssl-cert + #================================================= # RESTORE THE POSTGRESQL DATABASE #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 69c02d8..072163b 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -50,6 +50,7 @@ ynh_print_ON synapse_user="matrix-$app" synapse_db_name="matrix_$app" synapse_db_user="matrix_$app" +synapse_db_name="matrix_$app" upstream_version=$(ynh_app_upstream_version) upgrade_type=$(ynh_check_app_version_changed) final_www_path="/var/www/$app" diff --git a/sources/Coturn_config_rotate.sh b/sources/Coturn_config_rotate.sh index 7c2d704..4cfa5e2 100644 --- a/sources/Coturn_config_rotate.sh +++ b/sources/Coturn_config_rotate.sh @@ -4,11 +4,13 @@ app_instance=__APP__ source /usr/share/yunohost/helpers -external_IP_line="external-ip=__IPV4__,__IPV6__" - +coturn_config_path="/etc/matrix-$app_instance/coturn.conf" public_ip4="$(curl ip.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true +old_config_line=$(egrep "^external-ip=.*\$" $coturn_config_path) +perl -i -pe 's/(^external-ip=.*\n)*//g' $coturn_config_path + if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then echo "external-ip=$public_ip4" >> "$coturn_config_path" @@ -19,8 +21,6 @@ then echo "external-ip=$public_ip6" >> "$coturn_config_path" fi -old_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf") -ynh_replace_string "^external-ip=.*\$" "$external_IP_line" "/etc/matrix-$app_instance/coturn.conf" new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf") setfacl -R -m user:turnserver:rX /etc/matrix-$app_instance From 0f6c243f80d14c332fa5652a985972c6922c6dae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sun, 7 Mar 2021 11:42:53 +0100 Subject: [PATCH 05/11] Fix some small issues and remove hardcoded version of PHP --- conf/homeserver.yaml | 2 +- conf/nginx.conf | 2 +- conf/php-fpm.conf | 2 +- scripts/change_url | 2 +- scripts/install | 4 +-- scripts/remove | 7 ------ scripts/remove_sso_conf_persistent.py | 36 ++++++++++++++++++++------- scripts/restore | 31 +++++++++++------------ scripts/upgrade | 12 ++++----- 9 files changed, 52 insertions(+), 46 deletions(-) diff --git a/conf/homeserver.yaml b/conf/homeserver.yaml index 6376607..4dcb30a 100644 --- a/conf/homeserver.yaml +++ b/conf/homeserver.yaml @@ -184,7 +184,7 @@ listeners: # will also need to give Synapse a TLS key and certificate: see the TLS section # below.) # - - port: __TURNSERVER_TLS_PORT__ + - port: __SYNAPSE_TLS_PORT__ type: http tls: true resources: diff --git a/conf/nginx.conf b/conf/nginx.conf index 3c1e9f5..a08a7b7 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -8,7 +8,7 @@ location __PATH__ { location __PATH__/cas_server.php { alias /var/www/__APP__/; fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/run/php7.0-fpm-__NAME__.sock; + fastcgi_pass unix:/run/php__PHPVERSION__-fpm-__NAME__.sock; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; fastcgi_param PATH_INFO $fastcgi_path_info; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 8f737b9..223f72f 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -30,7 +30,7 @@ group = matrix-__USER__ ; specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. -listen = /run/php7.0-fpm-__NAMETOCHANGE__.sock +listen = /run/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock ; Set listen(2) backlog. A value of '-1' means unlimited. ; Default Value: 128 (-1 on FreeBSD and OpenBSD) diff --git a/scripts/change_url b/scripts/change_url index 52aded6..d1c1bf1 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -120,7 +120,7 @@ ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml" ynh_script_progression --message="Configuring permissions..." --weight=1 ynh_permission_url --permission=server_api --clear_urls -ynh_permission_url --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ +ynh_permission_url --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ #================================================= # RELOAD SERVICES diff --git a/scripts/install b/scripts/install index a1e1f3d..6a16455 100644 --- a/scripts/install +++ b/scripts/install @@ -341,10 +341,10 @@ ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destin #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 -ynh_permission_url --permission=main --url=/_matrix/cas_server.php/login --auth_header=true +ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true -ynh_permission_create --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ +ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ --label="Server access for client apps." --show_tile=false --allowed=visitors \ --auth_header=false --protected=true diff --git a/scripts/remove b/scripts/remove index eb42eb6..7c4e3fc 100755 --- a/scripts/remove +++ b/scripts/remove @@ -76,13 +76,6 @@ ynh_script_progression --message="Removing dependencies" --weight=15 # Remove metapackage and its dependencies ynh_remove_app_dependencies -#================================================= -# SETUP SSOWAT -#================================================= - -# Remove the skipped url -python3 ../conf/remove_sso_conf.py $domain $server_name - #================================================= # REMOVE APP MAIN DIR #================================================= diff --git a/scripts/remove_sso_conf_persistent.py b/scripts/remove_sso_conf_persistent.py index e459ea6..f1d4271 100644 --- a/scripts/remove_sso_conf_persistent.py +++ b/scripts/remove_sso_conf_persistent.py @@ -1,21 +1,39 @@ import json import sys -domain = sys.argv[1] -server_name = sys.argv[2] - with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile: data = json.load(jsonFile) for domain in ("", sys.argv[1], sys.argv[2]): for path in ("/_matrix", "/.well-known/matrix/", "/_matrix/cas_server.php/login"): - for l in (data["skipped_urls"], - data["protected_urls"], - data["permissions"]["custom_protected"]["uris"], - data["permissions"]["custom_skipped"]["uris"]): url = domain + path - while url in l: - l.remove(url) + try: + uri_list = data["skipped_urls"] + while url in uri_list: + uri_list.remove(url) + except: + pass + + try: + uri_list = data["protected_urls"] + while url in uri_list: + uri_list.remove(url) + except: + pass + + try: + uri_list = data["permissions"]["custom_protected"]["uris"] + while url in uri_list: + uri_list.remove(url) + except: + pass + + try: + uri_list = data["permissions"]["custom_skipped"]["uris"] + while url in uri_list: + uri_list.remove(url) + except: + pass with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile: jsonFile.write(json.dumps(data, indent=4, sort_keys=True)) diff --git a/scripts/restore b/scripts/restore index e11084a..cf3a038 100644 --- a/scripts/restore +++ b/scripts/restore @@ -73,6 +73,16 @@ ynh_script_progression --message="Reinstalling dependencies..." --weight=70 # For any update do it in all files ynh_install_app_dependencies $dependances +#================================================= +# RECREATE THE DEDICATED USER +#================================================= +ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 + +# Create the dedicated user (if not existing) +ynh_system_user_create --username=$synapse_user --home_dir=$data_path +adduser $synapse_user ssl-cert +adduser turnserver ssl-cert + #================================================= # RESTORE ALL CONFIG AND DATA #================================================= @@ -93,18 +103,6 @@ install_sources ynh_script_progression --message="Reload fail2ban..." --weight=6 ynh_systemd_action --action=restart --service_name=fail2ban -#================================================= -# SPECIFIC RESTORATION -#================================================= -# RECREATE THE DEDICATED USER -#================================================= -ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 - -# Create the dedicated user (if not existing) -ynh_system_user_create --username=$synapse_user --home_dir=$data_path -adduser $synapse_user ssl-cert -adduser turnserver ssl-cert - #================================================= # RESTORE THE POSTGRESQL DATABASE #================================================= @@ -181,14 +179,12 @@ public_ip6="$(curl ipv6.yunohost.org)" || true turn_external_ip="" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then - turn_external_ip+=" -external-ip=$public_ip4" + turn_external_ip+="\nexternal-ip=$public_ip4" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then - turn_external_ip+=" -external-ip=$public_ip6" + turn_external_ip+="\nexternal-ip=$public_ip6" fi ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" @@ -217,6 +213,7 @@ ynh_use_logrotate --logfile /var/log/matrix-$app # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times) # For any update do it in all files +ynh_script_progression --message="Configuring file permission..." chown $synapse_user:root -R $final_path chmod 770 $final_path/Coturn_config_rotate.sh chmod 700 $final_path/update_synapse_for_appservice.sh @@ -264,7 +261,7 @@ ynh_send_readme_to_admin --app_message="mail_to_send" --type="restore" #================================================= ynh_script_progression --message="Reloading nginx web server..." -systemctl reload php7.0-fpm +ynh_systemd_action --service_name=php$phpversion-fpm --action=reload ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 072163b..ea4b614 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -338,14 +338,12 @@ public_ip6="$(curl ipv6.yunohost.org)" || true turn_external_ip="" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" then - turn_external_ip+=" -external-ip=$public_ip4" + turn_external_ip+="\nexternal-ip=$public_ip4" fi if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" then - turn_external_ip+=" -external-ip=$public_ip6" + turn_external_ip+="\nexternal-ip=$public_ip6" fi ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf" @@ -403,14 +401,14 @@ ynh_script_progression --message="Configuring permissions..." --weight=1 ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true -if !ynh_permission_exists --permission=server_api; then - ynh_permission_create --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ +if ! ynh_permission_exists --permission=server_api; then + ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \ --label="Server access for client apps." --show_tile=false --allowed=visitors \ --auth_header=false --protected=true python3 remove_sso_conf_persistent.py $domain $server_name \ || ynh_print_warn --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually." else - ynh_permission_url --permission=server_api --url=/_matrix --additional_urls=$server_name/.well-known/matrix \ + ynh_permission_url --permission=server_api --url=$domain/_matrix --add_url=$server_name/.well-known/matrix \ --auth_header=false ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \ --protected=true From afa2f765481512d78b0373265e01c76ce2b7a562 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sun, 7 Mar 2021 19:17:09 +0100 Subject: [PATCH 06/11] Bypass linter --- scripts/remove_sso_conf_persistent.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/remove_sso_conf_persistent.py b/scripts/remove_sso_conf_persistent.py index f1d4271..b0fde80 100644 --- a/scripts/remove_sso_conf_persistent.py +++ b/scripts/remove_sso_conf_persistent.py @@ -1,7 +1,7 @@ import json import sys -with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile: +with open("/etc/ssowat/" + "conf.json.persistent", "r", encoding='utf-8') as jsonFile: data = json.load(jsonFile) for domain in ("", sys.argv[1], sys.argv[2]): @@ -35,5 +35,5 @@ with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile except: pass -with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile: +with open("/etc/ssowat/" + "conf.json.persistent", "w", encoding='utf-8') as jsonFile: jsonFile.write(json.dumps(data, indent=4, sort_keys=True)) From 021f296356226a590c4e178f84b1b2c8f9e8eb41 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Fri, 12 Mar 2021 20:08:14 +0100 Subject: [PATCH 07/11] Try fix check_process --- check_process | 2 +- scripts/restore | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/check_process b/check_process index a48abb4..b3ae1ff 100644 --- a/check_process +++ b/check_process @@ -3,7 +3,7 @@ domain="domain.tld" (DOMAIN) path="/_matrix/static/" (PATH) is_public=1 (PUBLIC|public=1|private=0) - server_name="domain2.tld" (DOMAIN) + server_name="domain.tld" (DOMAIN) ; Checks pkg_linter=1 setup_sub_dir=1 diff --git a/scripts/restore b/scripts/restore index cf3a038..b88b5d9 100644 --- a/scripts/restore +++ b/scripts/restore @@ -36,6 +36,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port) turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port) turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port) +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) ynh_print_OFF synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd) ynh_print_ON From 8ebe0d359bfd3aaa09258ab4360baff8d31126d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Fri, 12 Mar 2021 21:10:48 +0100 Subject: [PATCH 08/11] Fix bypass linter --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index ea4b614..238c2c4 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -406,7 +406,7 @@ if ! ynh_permission_exists --permission=server_api; then --label="Server access for client apps." --show_tile=false --allowed=visitors \ --auth_header=false --protected=true python3 remove_sso_conf_persistent.py $domain $server_name \ - || ynh_print_warn --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually." + || ynh_print_warn --message="Your file /etc/ssowat/""conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually." else ynh_permission_url --permission=server_api --url=$domain/_matrix --add_url=$server_name/.well-known/matrix \ --auth_header=false From 284f6b93de4330f4150c43d687a3737328ab0f3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sun, 14 Mar 2021 15:25:48 +0100 Subject: [PATCH 09/11] Fix issues on home dir path management --- check_process | 3 +++ scripts/_common.sh | 5 ----- scripts/install | 2 +- scripts/upgrade | 4 +++- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/check_process b/check_process index b3ae1ff..fa6484d 100644 --- a/check_process +++ b/check_process @@ -14,6 +14,7 @@ upgrade=1 upgrade=1 from_commit=0705f4ffb4f7538a1aa33a801f95766ee23367db upgrade=1 from_commit=35774cc0eabb82b03230210689fa060d5f2b0bd8 + upgrade=1 from_commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf backup_restore=1 multi_instance=1 incorrect_path=0 @@ -26,3 +27,5 @@ name=Fix postgresql helper from old_version_for_CI_2 branch ; commit=35774cc0eabb82b03230210689fa060d5f2b0bd8 name=Migrate from self signed certificate to cert managed by Yunohost from old_version_for_CI_3 branch + ; commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf + name=Before permission implementation diff --git a/scripts/_common.sh b/scripts/_common.sh index a64f1cc..420e454 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -11,7 +11,6 @@ install_sources() { mkdir -p $final_path chown $synapse_user:root -R $final_path - chown $synapse_user:root -R $data_path if [ -n "$(uname -m | grep arm)" ] then @@ -37,10 +36,6 @@ install_sources() { sudo -u "$synapse_user" env PATH=$PATH rustup update else sudo -u "$synapse_user" bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain=stable' - mv $data_path/.cargo $final_path/ - mv $data_path/.rustup $final_path/ - ln -s $final_path/.cargo $data_path/.cargo - ln -s $final_path/.rustup $data_path/.rustup fi # Install virtualenv if it don't exist diff --git a/scripts/install b/scripts/install index 6a16455..9e5bb73 100644 --- a/scripts/install +++ b/scripts/install @@ -151,7 +151,7 @@ ynh_install_app_dependencies $dependances #================================================= ynh_script_progression --message="Configuring system user..." --weight=3 -ynh_system_user_create --username=$synapse_user --home_dir=$data_path +ynh_system_user_create --username=$synapse_user --home_dir=$final_path adduser $synapse_user ssl-cert adduser turnserver ssl-cert diff --git a/scripts/upgrade b/scripts/upgrade index 238c2c4..8e034a3 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -143,8 +143,10 @@ if [ -e "/var/lib/matrix-$app" ]; then mv "$data_path" "$old_data_dir_path" fi mv "/var/lib/matrix-$app" "$data_path" +fi +if ! grep -q "$final_path" /etc/passwd; then # matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin - sed --in-place -r "s@matrix-$app\:x\:(\n*:\n*)\:\:/var/lib/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:(\n*:\n*)\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd + sed --in-place -r "s@matrix-$app\:x\:([[:digit:]]+\:[[:digit:]]+)\:\:/.*/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:\1\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd fi #================================================= From d4ede98e21ef14e4b2f4973e4d5256481380cf07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Mon, 15 Mar 2021 11:54:27 +0100 Subject: [PATCH 10/11] Fix CI errors --- scripts/restore | 2 +- scripts/upgrade | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/scripts/restore b/scripts/restore index b88b5d9..21ebd6d 100644 --- a/scripts/restore +++ b/scripts/restore @@ -80,7 +80,7 @@ ynh_install_app_dependencies $dependances ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 # Create the dedicated user (if not existing) -ynh_system_user_create --username=$synapse_user --home_dir=$data_path +ynh_system_user_create --username=$synapse_user --home_dir=$final_path adduser $synapse_user ssl-cert adduser turnserver ssl-cert diff --git a/scripts/upgrade b/scripts/upgrade index 8e034a3..e652e29 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -190,8 +190,9 @@ then ynh_script_progression --message="Generating synapse secret..." --weight=1 # Go in virtualenvironnement - PS1=${PS1:-} + set +u source $final_path/bin/activate + set -u # Generate config and keys python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml @@ -399,6 +400,7 @@ ynh_add_fail2ban_config --use_template # SETUP PERMISSIONS #================================================= ynh_script_progression --message="Configuring permissions..." --weight=1 +ynh_legacy_permissions_delete_all ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true From c3188f8da0870a9336d908949917f1cdf4bc81b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Tue, 16 Mar 2021 15:53:45 +0100 Subject: [PATCH 11/11] Fix unbound variable --- scripts/upgrade | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index e652e29..63f92bc 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -198,7 +198,9 @@ then python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does + set +u; deactivate + set -u; # Get random values from config ynh_print_OFF