1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00

Merge pull request #239 from YunoHost-Apps/permissions

Permissions
This commit is contained in:
Josue-T 2021-03-17 20:05:27 +01:00 committed by GitHub
commit df3f0d6c7a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 169 additions and 334 deletions

View file

@ -3,7 +3,7 @@
domain="domain.tld" (DOMAIN) domain="domain.tld" (DOMAIN)
path="/_matrix/static/" (PATH) path="/_matrix/static/" (PATH)
is_public=1 (PUBLIC|public=1|private=0) is_public=1 (PUBLIC|public=1|private=0)
server_name="domain2.tld" (DOMAIN) server_name="domain.tld" (DOMAIN)
; Checks ; Checks
pkg_linter=1 pkg_linter=1
setup_sub_dir=1 setup_sub_dir=1
@ -14,6 +14,7 @@
upgrade=1 upgrade=1
upgrade=1 from_commit=0705f4ffb4f7538a1aa33a801f95766ee23367db upgrade=1 from_commit=0705f4ffb4f7538a1aa33a801f95766ee23367db
upgrade=1 from_commit=35774cc0eabb82b03230210689fa060d5f2b0bd8 upgrade=1 from_commit=35774cc0eabb82b03230210689fa060d5f2b0bd8
upgrade=1 from_commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf
backup_restore=1 backup_restore=1
multi_instance=1 multi_instance=1
incorrect_path=0 incorrect_path=0
@ -26,3 +27,5 @@
name=Fix postgresql helper from old_version_for_CI_2 branch name=Fix postgresql helper from old_version_for_CI_2 branch
; commit=35774cc0eabb82b03230210689fa060d5f2b0bd8 ; commit=35774cc0eabb82b03230210689fa060d5f2b0bd8
name=Migrate from self signed certificate to cert managed by Yunohost from old_version_for_CI_3 branch name=Migrate from self signed certificate to cert managed by Yunohost from old_version_for_CI_3 branch
; commit=dbf0a2c9359ccd62b55132cace548b17e44af9bf
name=Before permission implementation

View file

@ -1,28 +0,0 @@
import json
import sys
domain = sys.argv[1]
server_name = sys.argv[2]
with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile:
data = json.load(jsonFile)
if "skipped_urls" not in data:
data["skipped_urls"] = []
if "protected_urls" not in data:
data["protected_urls"] = []
# Remove entry without the domain specified
if "/_matrix" in data["skipped_urls"]:
data["skipped_urls"].remove("/_matrix")
if domain + "/_matrix" not in data["skipped_urls"]:
data["skipped_urls"].append(domain + "/_matrix")
if server_name + "/.well-known/matrix/" not in data["skipped_urls"]:
data["skipped_urls"].append(server_name + "/.well-known/matrix/")
if domain + "/_matrix/cas_server.php/login" not in data["protected_urls"]:
data["protected_urls"].append(domain + "/_matrix/cas_server.php/login")
with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile:
jsonFile.write(json.dumps(data, indent=4, sort_keys=True))

View file

@ -184,7 +184,7 @@ listeners:
# will also need to give Synapse a TLS key and certificate: see the TLS section # will also need to give Synapse a TLS key and certificate: see the TLS section
# below.) # below.)
# #
- port: __TLS_PORT__ - port: __SYNAPSE_TLS_PORT__
type: http type: http
tls: true tls: true
resources: resources:
@ -489,7 +489,7 @@ database:
args: args:
user: __SYNAPSE_DB_USER__ user: __SYNAPSE_DB_USER__
password: __SYNAPSE_DB_PWD__ password: __SYNAPSE_DB_PWD__
database: matrix___APP__ database: __SYNAPSE_DB_NAME__
host: localhost host: localhost
cp_min: 5 cp_min: 5
cp_max: 10 cp_max: 10
@ -768,7 +768,7 @@ turn_uris: [ "turn:__DOMAIN__:__TURNSERVER_TLS_PORT__?transport=udp", "turn:__DO
# The shared secret used to compute passwords for the TURN server # The shared secret used to compute passwords for the TURN server
# #
turn_shared_secret: "__TURNPWD__" turn_shared_secret: "__TURNSERVER_PWD__"
# The Username and password if the TURN server needs them and # The Username and password if the TURN server needs them and
# does not use a token # does not use a token
@ -884,7 +884,7 @@ enable_registration: __ALLOWED_ACCESS__
# If set, allows registration of standard or admin accounts by anyone who # If set, allows registration of standard or admin accounts by anyone who
# has the shared secret, even if registration is otherwise disabled. # has the shared secret, even if registration is otherwise disabled.
# #
registration_shared_secret: "__REGISTRATION_SECRET__" registration_shared_secret: "__REGISTRATION_SHARED_SECRET__"
# Set the number of bcrypt rounds used to generate password hash. # Set the number of bcrypt rounds used to generate password hash.
# Larger numbers increase the work factor needed to generate the hash. # Larger numbers increase the work factor needed to generate the hash.
@ -1030,7 +1030,7 @@ report_stats: __REPORT_STATS__
# the registration_shared_secret is used, if one is given; otherwise, # the registration_shared_secret is used, if one is given; otherwise,
# a secret key is derived from the signing key. # a secret key is derived from the signing key.
# #
macaroon_secret_key: "__MACAROON_SECRET_KEY__" __MACAROON_SECRET_KEY_PARAM__
# a secret which is used to calculate HMACs for form values, to stop # a secret which is used to calculate HMACs for form values, to stop
# falsification of values. Must be specified for the User Consent # falsification of values. Must be specified for the User Consent

View file

@ -8,7 +8,7 @@ location __PATH__ {
location __PATH__/cas_server.php { location __PATH__/cas_server.php {
alias /var/www/__APP__/; alias /var/www/__APP__/;
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/run/php7.0-fpm-__NAME__.sock; fastcgi_pass unix:/run/php__PHPVERSION__-fpm-__NAME__.sock;
include fastcgi_params; include fastcgi_params;
fastcgi_param REMOTE_USER $remote_user; fastcgi_param REMOTE_USER $remote_user;
fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_INFO $fastcgi_path_info;

View file

@ -30,7 +30,7 @@ group = matrix-__USER__
; specific port; ; specific port;
; '/path/to/unix/socket' - to listen on a unix socket. ; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory. ; Note: This value is mandatory.
listen = /run/php7.0-fpm-__NAMETOCHANGE__.sock listen = /run/php__PHPVERSION__-fpm-__NAMETOCHANGE__.sock
; Set listen(2) backlog. A value of '-1' means unlimited. ; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: 128 (-1 on FreeBSD and OpenBSD) ; Default Value: 128 (-1 on FreeBSD and OpenBSD)

View file

@ -1,15 +0,0 @@
import json
import sys
domain = sys.argv[1]
server_name = sys.argv[2]
with open("/etc/ssowat/conf.json.persistent", "r", encoding='utf-8') as jsonFile:
data = json.load(jsonFile)
data["skipped_urls"].remove(domain + "/_matrix")
data["skipped_urls"].remove(server_name + "/.well-known/matrix/")
data["protected_urls"].remove(domain + "/_matrix/cas_server.php/login")
with open("/etc/ssowat/conf.json.persistent", "w", encoding='utf-8') as jsonFile:
jsonFile.write(json.dumps(data, indent=4, sort_keys=True))

View file

@ -1,5 +1,5 @@
location /.well-known/matrix/server { location /.well-known/matrix/server {
return 200 '{"m.server": "__DOMAIN__:__PORT__"}'; return 200 '{"m.server": "__DOMAIN__:__SYNAPSE_TLS_PORT__"}';
add_header Content-Type application/json; add_header Content-Type application/json;
add_header Access-Control-Allow-Origin '*'; add_header Access-Control-Allow-Origin '*';
} }
@ -7,7 +7,7 @@ location /.well-known/matrix/server {
location /.well-known/matrix/client { location /.well-known/matrix/client {
return 200 '{ return 200 '{
"m.homeserver": { "base_url": "https://__DOMAIN__" }, "m.homeserver": { "base_url": "https://__DOMAIN__" },
"im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER_ADDR__"}, "im.vector.riot.jitsi": {"preferredDomain": "__JITSI_SERVER__"},
"im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT__ } "im.vector.riot.e2ee": {"default": __E2E_ENABLED_BY_DEFAULT__ }
}'; }';
add_header Content-Type application/json; add_header Content-Type application/json;

View file

@ -1,10 +1,10 @@
lt-cred-mech lt-cred-mech
use-auth-secret use-auth-secret
static-auth-secret=__TURNPWD__ static-auth-secret=__TURNSERVER_PWD__
realm=__DOMAIN__ realm=__DOMAIN__
tls-listening-port=__TLS_PORT__ tls-listening-port=__TURNSERVER_TLS_PORT__
alt-tls-listening-port=__TLS_ALT_PORT__ alt-tls-listening-port=__TURNSERVER_ALT_TLS_PORT__
min-port=49153 min-port=49153
max-port=49193 max-port=49193
cli-port=__CLI_PORT__ cli-port=__CLI_PORT__
@ -26,3 +26,5 @@ no-cli
log-file=/var/log/matrix-__APP__/turnserver.log log-file=/var/log/matrix-__APP__/turnserver.log
pidfile=/run/coturn-__APP__/turnserver.pid pidfile=/run/coturn-__APP__/turnserver.pid
simple-log simple-log
__TURN_EXTERNAL_IP__

View file

@ -6,7 +6,7 @@
"en": "Instant messaging server which uses Matrix", "en": "Instant messaging server which uses Matrix",
"fr": "Un serveur de messagerie instantané basé sur Matrix" "fr": "Un serveur de messagerie instantané basé sur Matrix"
}, },
"version": "1.28.0~ynh1", "version": "1.28.0~ynh2",
"url": "http://matrix.org", "url": "http://matrix.org",
"license": "Apache-2.0", "license": "Apache-2.0",
"maintainer": { "maintainer": {
@ -14,7 +14,7 @@
"email": "josue@tille.ch" "email": "josue@tille.ch"
}, },
"requirements": { "requirements": {
"yunohost": ">= 3.7.0.4" "yunohost": ">= 4.1"
}, },
"multi_instance": true, "multi_instance": true,
"services": [ "services": [

View file

@ -10,15 +10,3 @@
- [ ] Fix or enhancement tested. - [ ] Fix or enhancement tested.
- [ ] Upgrade from last version tested. - [ ] Upgrade from last version tested.
- [ ] Can be reviewed and tested. - [ ] Can be reviewed and tested.
## Validation
---
*Minor decision*
- **Upgrade previous version** :
- [ ] **Code review** :
- [ ] **Approval (LGTM)** :
- [ ] **Approval (LGTM)** :
- **CI succeeded** :
[![Build Status](https://ci-apps-hq.yunohost.org/jenkins/job/synapse_ynh%20PR-NUM-/badge/icon)](https://ci-apps-hq.yunohost.org/jenkins/job/synapse_ynh%20PR-NUM-/)
*Please replace '-NUM-' in this link by the PR number.*
When the PR is marked as ready to merge, you have to wait for 3 days before really merging it.

View file

@ -11,7 +11,6 @@ install_sources() {
mkdir -p $final_path mkdir -p $final_path
chown $synapse_user:root -R $final_path chown $synapse_user:root -R $final_path
chown $synapse_user:root -R $data_path
if [ -n "$(uname -m | grep arm)" ] if [ -n "$(uname -m | grep arm)" ]
then then
@ -37,17 +36,12 @@ install_sources() {
sudo -u "$synapse_user" env PATH=$PATH rustup update sudo -u "$synapse_user" env PATH=$PATH rustup update
else else
sudo -u "$synapse_user" bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain=stable' sudo -u "$synapse_user" bash -c 'curl -sSf -L https://static.rust-lang.org/rustup.sh | sh -s -- -y --default-toolchain=stable'
mv $data_path/.cargo $final_path/
mv $data_path/.rustup $final_path/
ln -s $final_path/.cargo $data_path/.cargo
ln -s $final_path/.rustup $data_path/.rustup
fi fi
# Install virtualenv if it don't exist # Install virtualenv if it don't exist
test -e $final_path/bin/python3 || python3 -m venv $final_path test -e $final_path/bin/python3 || python3 -m venv $final_path
# Install synapse in virtualenv # Install synapse in virtualenv
ynh_replace_string --match_string=__FINAL_PATH__ --replace_string=$final_path --target_file=$final_path/bin/activate
# We set all necessary environement variable to create a python virtualenvironnement. # We set all necessary environement variable to create a python virtualenvironnement.
set +u; set +u;

View file

@ -39,6 +39,7 @@ fi
synapse_user="matrix-$app" synapse_user="matrix-$app"
synapse_db_name="matrix_$app" synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app" synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version) upstream_version=$(ynh_app_upstream_version)
final_www_path="/var/www/$app" final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app" data_path="/home/yunohost.app/matrix-$app"

View file

@ -46,6 +46,7 @@ ynh_print_ON
synapse_user="matrix-$app" synapse_user="matrix-$app"
synapse_db_name="matrix_$app" synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app" synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version) upstream_version=$(ynh_app_upstream_version)
# Check if the new path stay /_matrix if not exit # Check if the new path stay /_matrix if not exit
@ -79,12 +80,7 @@ ynh_store_file_checksum --file "/etc/nginx/conf.d/$domain.d/$app.conf"
# Create .well-known redirection for access by federation # Create .well-known redirection for access by federation
if yunohost --output-as plain domain list | grep -q "^$server_name$" if yunohost --output-as plain domain list | grep -q "^$server_name$"
then then
cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi fi
#================================================= #=================================================
@ -96,59 +92,35 @@ ynh_script_progression --message="Updating synapse config..." --weight=2
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
# For any update do it in all files # For any update do it in all files
homeserver_config_path="/etc/matrix-$app/homeserver.yaml"
ynh_backup_if_checksum_is_different --file="$homeserver_config_path"
ynh_backup_if_checksum_is_different --file=/etc/matrix-$app/log.yaml
cp ../conf/homeserver.yaml "$homeserver_config_path"
cp ../conf/log.yaml /etc/matrix-$app/log.yaml
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
ynh_print_OFF
ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
if [ -z $macaroon_secret_key ]; then if [ -z $macaroon_secret_key ]; then
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
# So for the old install we just leave this as it is. And for the new install we use a real macaroon. # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
ynh_replace_special_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path" macaroon_secret_key_param='# macaroon_secret_key: ""'
else else
ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi fi
ynh_print_ON
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"
if [ $is_public -eq 0 ] if [ $is_public -eq 0 ]
then then
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" allowed_access=False
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" sso_enabled=True
else else
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" allowed_access=True
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" sso_enabled=False
fi fi
ynh_store_file_checksum --file="$homeserver_config_path" ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
#================================================= #=================================================
# SETUP SSOWAT # SETUP PERMISSIONS
#================================================= #=================================================
python3 ../conf/remove_sso_conf.py $domain $server_name ynh_script_progression --message="Configuring permissions..." --weight=1
python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32" ynh_permission_url --permission=server_api --clear_urls
ynh_permission_url --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
#================================================= #=================================================
# RELOAD SERVICES # RELOAD SERVICES

View file

@ -114,53 +114,32 @@ apply_config() {
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
# For any update do it in all files # For any update do it in all files
homeserver_config_path="/etc/matrix-$app/homeserver.yaml" if [ -z $macaroon_secret_key ]; then
ynh_backup_if_checksum_is_different "$homeserver_config_path"
cp ../conf/homeserver.yaml "$homeserver_config_path"
ynh_replace_string --match_string __APP__ --replace_string $app --target_file "$homeserver_config_path"
ynh_replace_string --match_string __DOMAIN__ --replace_string $domain --target_file "$homeserver_config_path"
ynh_replace_string --match_string __SERVER_NAME__ --replace_string $server_name --target_file "$homeserver_config_path"
ynh_replace_string --match_string __SYNAPSE_DB_USER__ --replace_string $synapse_db_user --target_file "$homeserver_config_path"
ynh_replace_special_string --match_string __SYNAPSE_DB_PWD__ --replace_string $synapse_db_pwd --target_file "$homeserver_config_path"
ynh_replace_string --match_string __PORT__ --replace_string $port --target_file "$homeserver_config_path"
ynh_replace_string --match_string __TLS_PORT__ --replace_string $synapse_tls_port --target_file "$homeserver_config_path"
ynh_replace_string --match_string __TURNSERVER_TLS_PORT__ --replace_string $turnserver_tls_port --target_file "$homeserver_config_path"
ynh_replace_special_string --match_string __TURNPWD__ --replace_string $turnserver_pwd --target_file "$homeserver_config_path"
ynh_replace_special_string --match_string __REGISTRATION_SECRET__ --replace_string "$registration_shared_secret" --target_file "$homeserver_config_path"
ynh_replace_special_string --match_string __FORM_SECRET__ --replace_string "$form_secret" --target_file "$homeserver_config_path"
ynh_replace_string --match_string __REPORT_STATS__ --replace_string "$report_stats" --target_file "$homeserver_config_path"
ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
if [ -n $macaroon_secret_key ]; then
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
# So for the old install we just leave this as it is. And for the new install we use a real macaroon. # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ macaroon_secret_key_param='# macaroon_secret_key: ""'
ynh_replace_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path"
else else
ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi fi
if [ $is_public -eq 0 ] if [ $is_public -eq 0 ]
then then
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" allowed_access=False
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" sso_enabled=True
else else
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" allowed_access=True
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" sso_enabled=False
fi fi
ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
# Create .well-known redirection for access by federation # Create .well-known redirection for access by federation
if yunohost --output-as plain domain list | grep -q "^$server_name$" if yunohost --output-as plain domain list | grep -q "^$server_name$"
then then
cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi fi
ynh_store_file_checksum --file "$homeserver_config_path" ynh_store_file_checksum --file "$homeserver_config_path"

View file

@ -37,6 +37,7 @@ app=$YNH_APP_INSTANCE_NAME
synapse_user="matrix-$app" synapse_user="matrix-$app"
synapse_db_name="matrix_$app" synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app" synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version) upstream_version=$(ynh_app_upstream_version)
report_stats="false" report_stats="false"
allow_public_rooms="false" allow_public_rooms="false"
@ -150,7 +151,7 @@ ynh_install_app_dependencies $dependances
#================================================= #=================================================
ynh_script_progression --message="Configuring system user..." --weight=3 ynh_script_progression --message="Configuring system user..." --weight=3
ynh_system_user_create --username=$synapse_user --home_dir=$data_path ynh_system_user_create --username=$synapse_user --home_dir=$final_path
adduser $synapse_user ssl-cert adduser $synapse_user ssl-cert
adduser turnserver ssl-cert adduser turnserver ssl-cert
@ -256,12 +257,7 @@ ynh_add_fpm_config
# Create .well-known redirection for access by federation # Create .well-known redirection for access by federation
if yunohost --output-as plain domain list | grep -q "^$server_name$" if yunohost --output-as plain domain list | grep -q "^$server_name$"
then then
cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi fi
# Create a dedicated nginx config # Create a dedicated nginx config
@ -273,51 +269,27 @@ ynh_add_nginx_config app
ynh_script_progression --message="Configuring synapse..." --weight=2 ynh_script_progression --message="Configuring synapse..." --weight=2
# Find password for turnserver and database # Find password for turnserver and database
ynh_print_OFF
turnserver_pwd=$(ynh_string_random --length=30) turnserver_pwd=$(ynh_string_random --length=30)
ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd ynh_app_setting_set --app=$app --key=turnserver_pwd --value=$turnserver_pwd
ynh_print_ON
# Configure Synapse # Configure Synapse
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
# For any update do it in all files # For any update do it in all files
homeserver_config_path="/etc/matrix-$app/homeserver.yaml" macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
cp ../conf/homeserver.yaml "$homeserver_config_path"
cp ../conf/log.yaml /etc/matrix-$app/log.yaml
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
ynh_print_OFF
ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path"
ynh_print_ON
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"
if [ $is_public -eq 0 ] if [ $is_public -eq 0 ]
then then
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" allowed_access=False
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" sso_enabled=True
else else
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" allowed_access=True
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" sso_enabled=False
fi fi
ynh_store_file_checksum --file="$homeserver_config_path" ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
#================================================= #=================================================
# SET COTURN CONFIG # SET COTURN CONFIG
@ -327,35 +299,23 @@ ynh_script_progression --message="Configuring coturn..." --weight=1
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
coturn_config_path="/etc/matrix-$app/coturn.conf"
cp ../conf/turnserver.conf "$coturn_config_path"
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
ynh_print_OFF
ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
ynh_print_ON
# Get public IP and set as external IP for coturn # Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
public_ip4="$(curl ip.yunohost.org)" || true public_ip4="$(curl ip.yunohost.org)" || true
public_ip6="$(curl ipv6.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true
turn_external_ip=""
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then then
echo "external-ip=$public_ip4" >> "$coturn_config_path" turn_external_ip+="\nexternal-ip=$public_ip4"
fi fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then then
echo "external-ip=$public_ip6" >> "$coturn_config_path" turn_external_ip+="\nexternal-ip=$public_ip6"
fi fi
ynh_store_file_checksum --file="$coturn_config_path" ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
#================================================= #=================================================
# SETUP LOGROTATE # SETUP LOGROTATE
@ -371,22 +331,22 @@ ynh_use_logrotate --logfile "/var/log/matrix-$app"
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
cp ../sources/Coturn_config_rotate.sh $final_path/ ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
cp ../sources/update_synapse_for_appservice.sh $final_path/ ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh"
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/update_synapse_for_appservice.sh"
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION
#================================================= #=================================================
# SETUP SSOWAT # SETUP PERMISSIONS
#================================================= #=================================================
ynh_script_progression --message="Configuring SSOwat..." --weight=1 ynh_script_progression --message="Configuring permissions..." --weight=1
# Open access to server without a button the home ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls". ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true
python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
ynh_permission_url --permission main --url $domain/_matrix/cas_server.php/login ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
--label="Server access for client apps." --show_tile=false --allowed=visitors \
--auth_header=false --protected=true
#================================================= #=================================================
# UPDATE HOOKS # UPDATE HOOKS

View file

@ -31,6 +31,7 @@ turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tl
synapse_user="matrix-$app" synapse_user="matrix-$app"
synapse_db_name="matrix_$app" synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app" synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version) upstream_version=$(ynh_app_upstream_version)
final_www_path="/var/www/$app" final_www_path="/var/www/$app"
@ -75,13 +76,6 @@ ynh_script_progression --message="Removing dependencies" --weight=15
# Remove metapackage and its dependencies # Remove metapackage and its dependencies
ynh_remove_app_dependencies ynh_remove_app_dependencies
#=================================================
# SETUP SSOWAT
#=================================================
# Remove the skipped url
python3 ../conf/remove_sso_conf.py $domain $server_name
#================================================= #=================================================
# REMOVE APP MAIN DIR # REMOVE APP MAIN DIR
#================================================= #=================================================

View file

@ -0,0 +1,39 @@
import json
import sys
with open("/etc/ssowat/" + "conf.json.persistent", "r", encoding='utf-8') as jsonFile:
data = json.load(jsonFile)
for domain in ("", sys.argv[1], sys.argv[2]):
for path in ("/_matrix", "/.well-known/matrix/", "/_matrix/cas_server.php/login"):
url = domain + path
try:
uri_list = data["skipped_urls"]
while url in uri_list:
uri_list.remove(url)
except:
pass
try:
uri_list = data["protected_urls"]
while url in uri_list:
uri_list.remove(url)
except:
pass
try:
uri_list = data["permissions"]["custom_protected"]["uris"]
while url in uri_list:
uri_list.remove(url)
except:
pass
try:
uri_list = data["permissions"]["custom_skipped"]["uris"]
while url in uri_list:
uri_list.remove(url)
except:
pass
with open("/etc/ssowat/" + "conf.json.persistent", "w", encoding='utf-8') as jsonFile:
jsonFile.write(json.dumps(data, indent=4, sort_keys=True))

View file

@ -36,6 +36,7 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path)
synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port) synapse_tls_port=$(ynh_app_setting_get --app=$app --key=synapse_tls_port)
turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port) turnserver_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_tls_port)
turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port) turnserver_alt_tls_port=$(ynh_app_setting_get --app=$app --key=turnserver_alt_tls_port)
phpversion=$(ynh_app_setting_get --app=$app --key=phpversion)
ynh_print_OFF ynh_print_OFF
synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd) synapse_db_pwd=$(ynh_app_setting_get --app=$app --key=synapse_db_pwd)
ynh_print_ON ynh_print_ON
@ -47,6 +48,7 @@ ynh_print_ON
synapse_user="matrix-$app" synapse_user="matrix-$app"
synapse_db_name="matrix_$app" synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app" synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version) upstream_version=$(ynh_app_upstream_version)
final_www_path="/var/www/$app" final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app" data_path="/home/yunohost.app/matrix-$app"
@ -78,7 +80,7 @@ ynh_install_app_dependencies $dependances
ynh_script_progression --message="Recreating the dedicated system user..." --weight=3 ynh_script_progression --message="Recreating the dedicated system user..." --weight=3
# Create the dedicated user (if not existing) # Create the dedicated user (if not existing)
ynh_system_user_create --username=$synapse_user --home_dir=$data_path ynh_system_user_create --username=$synapse_user --home_dir=$final_path
adduser $synapse_user ssl-cert adduser $synapse_user ssl-cert
adduser turnserver ssl-cert adduser turnserver ssl-cert
@ -170,35 +172,23 @@ ynh_print_ON
# WARNING : these commands are used in INSTALL, UPGRADE # WARNING : these commands are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
coturn_config_path="/etc/matrix-$app/coturn.conf"
cp ../settings/conf/turnserver.conf "$coturn_config_path"
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
ynh_print_OFF
ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
ynh_print_ON
# Get public IP and set as external IP for coturn # Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
public_ip4="$(curl ip.yunohost.org)" || true public_ip4="$(curl ip.yunohost.org)" || true
public_ip6="$(curl ipv6.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true
turn_external_ip=""
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then then
echo "external-ip=$public_ip4" >> "$coturn_config_path" turn_external_ip+="\nexternal-ip=$public_ip4"
fi fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then then
echo "external-ip=$public_ip6" >> "$coturn_config_path" turn_external_ip+="\nexternal-ip=$public_ip6"
fi fi
ynh_store_file_checksum --file="$coturn_config_path" ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
#================================================= #=================================================
# OPEN THE PORT # OPEN THE PORT
@ -209,15 +199,6 @@ ynh_exec_warn_less yunohost firewall allow TCP $synapse_tls_port
ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port ynh_exec_warn_less yunohost firewall allow Both $turnserver_tls_port
ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port ynh_exec_warn_less yunohost firewall allow Both $turnserver_alt_tls_port
#=================================================
# SETUP SSOWAT
#=================================================
ynh_script_progression --message="Configuring SSOwat..."
# Open access to server without a button the home
# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls".
python3 ../settings/conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
#================================================= #=================================================
# SETUP LOGROTATE # SETUP LOGROTATE
#================================================= #=================================================
@ -233,6 +214,7 @@ ynh_use_logrotate --logfile /var/log/matrix-$app
# WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times) # WARNING : theses command are used in INSTALL, UPGRADE, RESTORE (3 times)
# For any update do it in all files # For any update do it in all files
ynh_script_progression --message="Configuring file permission..."
chown $synapse_user:root -R $final_path chown $synapse_user:root -R $final_path
chmod 770 $final_path/Coturn_config_rotate.sh chmod 770 $final_path/Coturn_config_rotate.sh
chmod 700 $final_path/update_synapse_for_appservice.sh chmod 700 $final_path/update_synapse_for_appservice.sh
@ -280,7 +262,7 @@ ynh_send_readme_to_admin --app_message="mail_to_send" --type="restore"
#================================================= #=================================================
ynh_script_progression --message="Reloading nginx web server..." ynh_script_progression --message="Reloading nginx web server..."
systemctl reload php7.0-fpm ynh_systemd_action --service_name=php$phpversion-fpm --action=reload
ynh_systemd_action --service_name=nginx --action=reload ynh_systemd_action --service_name=nginx --action=reload
#================================================= #=================================================

View file

@ -50,16 +50,12 @@ ynh_print_ON
synapse_user="matrix-$app" synapse_user="matrix-$app"
synapse_db_name="matrix_$app" synapse_db_name="matrix_$app"
synapse_db_user="matrix_$app" synapse_db_user="matrix_$app"
synapse_db_name="matrix_$app"
upstream_version=$(ynh_app_upstream_version) upstream_version=$(ynh_app_upstream_version)
upgrade_type=$(ynh_check_app_version_changed)
final_www_path="/var/www/$app" final_www_path="/var/www/$app"
data_path="/home/yunohost.app/matrix-$app" data_path="/home/yunohost.app/matrix-$app"
#=================================================
# CHECK VERSION
#=================================================
upgrade_type=$(ynh_check_app_version_changed)
#================================================= #=================================================
# ENSURE DOWNWARD COMPATIBILITY # ENSURE DOWNWARD COMPATIBILITY
#================================================= #=================================================
@ -147,8 +143,10 @@ if [ -e "/var/lib/matrix-$app" ]; then
mv "$data_path" "$old_data_dir_path" mv "$data_path" "$old_data_dir_path"
fi fi
mv "/var/lib/matrix-$app" "$data_path" mv "/var/lib/matrix-$app" "$data_path"
fi
if ! grep -q "$final_path" /etc/passwd; then
# matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin # matrix-synapse:x:994:994::/var/lib/matrix-synapse:/usr/sbin/nologin
sed --in-place -r "s@matrix-$app\:x\:(\n*:\n*)\:\:/var/lib/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:(\n*:\n*)\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd sed --in-place -r "s@matrix-$app\:x\:([[:digit:]]+\:[[:digit:]]+)\:\:/.*/matrix-$app\:/usr/sbin/nologin@matrix-$app\:x\:\1\:\:$final_path\:/usr/sbin/nologin@g" /etc/passwd
fi fi
#================================================= #=================================================
@ -192,14 +190,17 @@ then
ynh_script_progression --message="Generating synapse secret..." --weight=1 ynh_script_progression --message="Generating synapse secret..." --weight=1
# Go in virtualenvironnement # Go in virtualenvironnement
PS1=${PS1:-} set +u
source $final_path/bin/activate source $final_path/bin/activate
set -u
# Generate config and keys # Generate config and keys
python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml python -m synapse.app.homeserver --keys-directory /etc/matrix-$app/ --generate-config --generate-keys --server-name $server_name --report-stats=no -c homeserver.yml
# This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does # This function was defined when we called "source $final_path/bin/activate". With this function we undo what "$final_path/bin/activate" does
set +u;
deactivate deactivate
set -u;
# Get random values from config # Get random values from config
ynh_print_OFF ynh_print_OFF
@ -221,52 +222,27 @@ ynh_script_progression --message="Updating synapse config..." --weight=2
# WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times) # WARNING : theses command are used in INSTALL, UPGRADE, CONFIG, CHANGE-URL (4 times)
# For any update do it in all files # For any update do it in all files
homeserver_config_path="/etc/matrix-$app/homeserver.yaml"
ynh_backup_if_checksum_is_different --file="$homeserver_config_path"
ynh_backup_if_checksum_is_different --file=/etc/matrix-$app/log.yaml
cp ../conf/homeserver.yaml "$homeserver_config_path"
cp ../conf/log.yaml /etc/matrix-$app/log.yaml
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__SERVER_NAME__ --replace_string=$server_name --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__SYNAPSE_DB_USER__ --replace_string=$synapse_db_user --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__PORT__ --replace_string=$port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$synapse_tls_port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__TURNSERVER_TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__REPORT_STATS__ --replace_string="$report_stats" --target_file="$homeserver_config_path"
ynh_replace_string --match_string=__ALLOW_PUBLIC_ROOMS__ --replace_string="$allow_public_rooms" --target_file="$homeserver_config_path"
ynh_print_OFF
ynh_replace_special_string --match_string=__SYNAPSE_DB_PWD__ --replace_string=$synapse_db_pwd --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__REGISTRATION_SECRET__ --replace_string="$registration_shared_secret" --target_file="$homeserver_config_path"
ynh_replace_special_string --match_string=__FORM_SECRET__ --replace_string="$form_secret" --target_file="$homeserver_config_path"
if [ -z $macaroon_secret_key ]; then if [ -z $macaroon_secret_key ]; then
# Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice. # Well, in this package this value was not managed because it was not needed, synapse is able to generate this with some other secret in the config file but after some vulnerability was found with this practice.
# For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/ # For more detail about this issue you can see : https://matrix.org/blog/2019/01/15/further-details-on-critical-security-update-in-synapse-affecting-all-versions-prior-to-0-34-1-cve-2019-5885/
# The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !! # The problem is that we can't just say generate a new value if the package has not already defined a value. The reason is that changing this value logout all user. And in case of a user has enabled the encryption, the user might lost all conversation !!
# So for the old install we just leave this as it is. And for the new install we use a real macaroon. # So for the old install we just leave this as it is. And for the new install we use a real macaroon.
ynh_replace_special_string --match_string='macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --replace_string='# macaroon_secret_key: "__MACAROON_SECRET_KEY__"' --target_file="$homeserver_config_path" macaroon_secret_key_param='# macaroon_secret_key: ""'
else else
ynh_replace_special_string --match_string=__MACAROON_SECRET_KEY__ --replace_string="$macaroon_secret_key" --target_file="$homeserver_config_path" macaroon_secret_key_param='macaroon_secret_key: "'$macaroon_secret_key'"'
fi fi
ynh_print_ON
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="/etc/matrix-$app/log.yaml"
if [ $is_public -eq 0 ] if [ $is_public -eq 0 ]
then then
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=False --target_file="$homeserver_config_path" allowed_access=False
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=True --target_file="$homeserver_config_path" sso_enabled=True
else else
ynh_replace_string --match_string=__ALLOWED_ACCESS__ --replace_string=True --target_file="$homeserver_config_path" allowed_access=True
ynh_replace_string --match_string=__SSO_ENABLED__ --replace_string=False --target_file="$homeserver_config_path" sso_enabled=False
fi fi
ynh_store_file_checksum --file="$homeserver_config_path" ynh_add_config --template="homeserver.yaml" --destination="/etc/matrix-$app/homeserver.yaml"
ynh_store_file_checksum --file="/etc/matrix-$app/log.yaml" ynh_add_config --template="log.yaml" --destination="/etc/matrix-$app/log.yaml"
#================================================= #=================================================
# MIGRATION 2 : MULTINSTANCE SUPPORT # MIGRATION 2 : MULTINSTANCE SUPPORT
@ -283,10 +259,6 @@ then
# Disable default config for turnserver and create a new service # Disable default config for turnserver and create a new service
systemctl stop coturn.service systemctl stop coturn.service
# Set by default the system config for coturn
echo "" > /etc/turnserver.conf
ynh_replace_string --match_string="TURNSERVER_ENABLED=1" --replace_string="TURNSERVER_ENABLED=0" --target_file=/etc/default/coturn
# Set a port for each service in turnserver # Set a port for each service in turnserver
turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1))) turnserver_alt_tls_port=$(ynh_find_port --port=$((turnserver_tls_port+1)))
cli_port=$(ynh_find_port --port=5766) cli_port=$(ynh_find_port --port=5766)
@ -347,13 +319,7 @@ ynh_add_fpm_config
# Create .well-known redirection for access by federation # Create .well-known redirection for access by federation
if yunohost --output-as plain domain list | grep -q "^$server_name$" if yunohost --output-as plain domain list | grep -q "^$server_name$"
then then
ynh_backup_if_checksum_is_different --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf" ynh_add_config --template="server_name.conf" --destination="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
cp ../conf/server_name.conf /etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__PORT__ --replace_string=$synapse_tls_port --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__JITSI_SERVER_ADDR__ --replace_string=$jitsi_server --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_replace_string --match_string=__E2E_ENABLED_BY_DEFAULT__ --replace_string=$e2e_enabled_by_default --target_file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
ynh_store_file_checksum --file="/etc/nginx/conf.d/${server_name}.d/${app}_server_name.conf"
fi fi
# Create a dedicated nginx config # Create a dedicated nginx config
@ -369,35 +335,23 @@ ynh_script_progression --message="Updating coturn config..." --weight=1
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
coturn_config_path="/etc/matrix-$app/coturn.conf"
cp ../conf/turnserver.conf "$coturn_config_path"
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$coturn_config_path"
ynh_replace_string --match_string=__DOMAIN__ --replace_string=$domain --target_file="$coturn_config_path"
ynh_replace_string --match_string=__TLS_PORT__ --replace_string=$turnserver_tls_port --target_file="$coturn_config_path"
ynh_replace_string --match_string=__TLS_ALT_PORT__ --replace_string=$turnserver_alt_tls_port --target_file="$coturn_config_path"
ynh_replace_string --match_string=__CLI_PORT__ --replace_string=$cli_port --target_file="$coturn_config_path"
ynh_print_OFF
ynh_replace_string --match_string=__TURNPWD__ --replace_string=$turnserver_pwd --target_file="$coturn_config_path"
ynh_print_ON
# Get public IP and set as external IP for coturn # Get public IP and set as external IP for coturn
# note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6 # note : '|| true' is used to ignore the errors if we can't get the public ipv4 or ipv6
public_ip4="$(curl ip.yunohost.org)" || true public_ip4="$(curl ip.yunohost.org)" || true
public_ip6="$(curl ipv6.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true
turn_external_ip=""
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then then
echo "external-ip=$public_ip4" >> "$coturn_config_path" turn_external_ip+="\nexternal-ip=$public_ip4"
fi fi
if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6" if [ -n "$public_ip6" ] && ynh_validate_ip6 --ip_address="$public_ip6"
then then
echo "external-ip=$public_ip6" >> "$coturn_config_path" turn_external_ip+="\nexternal-ip=$public_ip6"
fi fi
ynh_store_file_checksum --file="$coturn_config_path" ynh_add_config --template="turnserver.conf" --destination="/etc/matrix-$app/coturn.conf"
#================================================= #=================================================
# ADD SCRIPT FOR COTURN CRON AND APP SERVICE # ADD SCRIPT FOR COTURN CRON AND APP SERVICE
@ -406,10 +360,8 @@ ynh_store_file_checksum --file="$coturn_config_path"
# WARNING : theses command are used in INSTALL, UPGRADE # WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files # For any update do it in all files
cp ../sources/Coturn_config_rotate.sh $final_path/ ynh_add_config --template="../sources/Coturn_config_rotate.sh" --destination="$final_path/Coturn_config_rotate.sh"
cp ../sources/update_synapse_for_appservice.sh $final_path/ ynh_add_config --template="../sources/update_synapse_for_appservice.sh" --destination="$final_path/update_synapse_for_appservice.sh"
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/Coturn_config_rotate.sh"
ynh_replace_string --match_string=__APP__ --replace_string=$app --target_file="$final_path/update_synapse_for_appservice.sh"
# Ensure app-service folder has exists and the config file exit (Migration) # Ensure app-service folder has exists and the config file exit (Migration)
mkdir -p /etc/matrix-$app/app-service mkdir -p /etc/matrix-$app/app-service
@ -447,14 +399,26 @@ ynh_add_fail2ban_config --use_template
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION
#================================================= #=================================================
# SETUP SSOWAT # SETUP PERMISSIONS
#================================================= #=================================================
ynh_script_progression --message="Configuring SSOwat..." --weight=1 ynh_script_progression --message="Configuring permissions..." --weight=1
ynh_legacy_permissions_delete_all
# Open access to server without a button the home ynh_permission_url --permission=main --url=$domain/_matrix/cas_server.php/login --auth_header=true
# The script "add_sso_conf.py" will just add en entry for the path "/_matrix" in the sso conf.json.persistent file in the cathegory "skipped_urls". ynh_permission_update --permission=main --label="Synapse server SSO authentication" --show_tile=false --protected=true
python3 ../conf/add_sso_conf.py $domain $server_name || ynh_die --message="Your file /etc/ssowat/conf.json.persistent doesn't respect the json syntax. Please fix the syntax to install this app. For more information see here: https://github.com/YunoHost-Apps/synapse_ynh/issues/32"
ynh_permission_url --permission main --url $domain/_matrix/cas_server.php/login if ! ynh_permission_exists --permission=server_api; then
ynh_permission_create --permission=server_api --url=$domain/_matrix --additional_urls=$server_name/.well-known/matrix \
--label="Server access for client apps." --show_tile=false --allowed=visitors \
--auth_header=false --protected=true
python3 remove_sso_conf_persistent.py $domain $server_name \
|| ynh_print_warn --message="Your file /etc/ssowat/""conf.json.persistent doesn't respect the json syntax. The config file wasn't cleaned. Please clean it manually."
else
ynh_permission_url --permission=server_api --url=$domain/_matrix --add_url=$server_name/.well-known/matrix \
--auth_header=false
ynh_permission_update --permission=server_api --label="Server access for client apps." --show_tile=false \
--protected=true
fi
#================================================= #=================================================
# SECURE FILES AND DIRECTORIES # SECURE FILES AND DIRECTORIES

View file

@ -4,11 +4,13 @@ app_instance=__APP__
source /usr/share/yunohost/helpers source /usr/share/yunohost/helpers
external_IP_line="external-ip=__IPV4__,__IPV6__" coturn_config_path="/etc/matrix-$app_instance/coturn.conf"
public_ip4="$(curl ip.yunohost.org)" || true public_ip4="$(curl ip.yunohost.org)" || true
public_ip6="$(curl ipv6.yunohost.org)" || true public_ip6="$(curl ipv6.yunohost.org)" || true
old_config_line=$(egrep "^external-ip=.*\$" $coturn_config_path)
perl -i -pe 's/(^external-ip=.*\n)*//g' $coturn_config_path
if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4" if [ -n "$public_ip4" ] && ynh_validate_ip4 --ip_address="$public_ip4"
then then
echo "external-ip=$public_ip4" >> "$coturn_config_path" echo "external-ip=$public_ip4" >> "$coturn_config_path"
@ -19,8 +21,6 @@ then
echo "external-ip=$public_ip6" >> "$coturn_config_path" echo "external-ip=$public_ip6" >> "$coturn_config_path"
fi fi
old_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
ynh_replace_string "^external-ip=.*\$" "$external_IP_line" "/etc/matrix-$app_instance/coturn.conf"
new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf") new_config_line=$(egrep "^external-ip=.*\$" "/etc/matrix-$app_instance/coturn.conf")
setfacl -R -m user:turnserver:rX /etc/matrix-$app_instance setfacl -R -m user:turnserver:rX /etc/matrix-$app_instance