diff --git a/.gitlab/ci/build.gitlab-ci.yml b/.gitlab/ci/build.gitlab-ci.yml index 67232ba1f..5e25bcd1f 100644 --- a/.gitlab/ci/build.gitlab-ci.yml +++ b/.gitlab/ci/build.gitlab-ci.yml @@ -38,7 +38,7 @@ build-ssowat: variables: PACKAGE: "ssowat" script: - - git clone $YNH_SOURCE/$PACKAGE -b $CI_COMMIT_REF_NAME $YNH_BUILD_DIR/$PACKAGE || git clone $YNH_SOURCE/$PACKAGE $YNH_BUILD_DIR/$PACKAGE + - git clone $YNH_SOURCE/$PACKAGE -b $CI_COMMIT_REF_NAME $YNH_BUILD_DIR/$PACKAGE --depth 1 || git clone $YNH_SOURCE/$PACKAGE $YNH_BUILD_DIR/$PACKAGE --depth 1 - DEBIAN_FRONTEND=noninteractive apt --assume-yes -o Dpkg::Options::="--force-confold" build-dep $(pwd)/$YNH_BUILD_DIR/$PACKAGE - *build_script @@ -47,6 +47,6 @@ build-moulinette: variables: PACKAGE: "moulinette" script: - - git clone $YNH_SOURCE/$PACKAGE -b $CI_COMMIT_REF_NAME $YNH_BUILD_DIR/$PACKAGE || git clone $YNH_SOURCE/$PACKAGE $YNH_BUILD_DIR/$PACKAGE + - git clone $YNH_SOURCE/$PACKAGE -b $CI_COMMIT_REF_NAME $YNH_BUILD_DIR/$PACKAGE --depth 1 || git clone $YNH_SOURCE/$PACKAGE $YNH_BUILD_DIR/$PACKAGE --depth 1 - DEBIAN_FRONTEND=noninteractive apt --assume-yes -o Dpkg::Options::="--force-confold" build-dep $(pwd)/$YNH_BUILD_DIR/$PACKAGE - *build_script diff --git a/.gitlab/ci/install.gitlab-ci.yml b/.gitlab/ci/install.gitlab-ci.yml index eb5187e11..1df4fc4b9 100644 --- a/.gitlab/ci/install.gitlab-ci.yml +++ b/.gitlab/ci/install.gitlab-ci.yml @@ -26,12 +26,4 @@ install-postinstall: script: - apt-get update -o Acquire::Retries=3 - DEBIAN_FRONTEND=noninteractive SUDO_FORCE_REMOVE=yes apt --assume-yes -o Dpkg::Options::="--force-confold" --allow-downgrades install ./$YNH_BUILD_DIR/*.deb - - systemctl -q stop apt-daily.timer - - systemctl -q stop apt-daily-upgrade.timer - - systemctl -q stop apt-daily.service - - systemctl -q stop apt-daily-upgrade.service - - systemctl -q disable apt-daily.timer - - systemctl -q disable apt-daily-upgrade.timer - - systemctl -q disable apt-daily.service - - systemctl -q disable apt-daily-upgrade.service - yunohost tools postinstall -d domain.tld -p the_password --ignore-dyndns diff --git a/.gitlab/ci/lint.gitlab-ci.yml b/.gitlab/ci/lint.gitlab-ci.yml index c6967d5a5..8db1ee756 100644 --- a/.gitlab/ci/lint.gitlab-ci.yml +++ b/.gitlab/ci/lint.gitlab-ci.yml @@ -1,24 +1,43 @@ ######################################## # LINTER ######################################## +# later we must fix lint and format-check jobs and remove "allow_failure" -lint: +lint27: stage: lint image: "before-install" needs: [] allow_failure: true script: - - tox -e lint + - tox -e py27-lint -invalidcode: +lint37: + stage: lint + image: "before-install" + needs: [] + allow_failure: true + script: + - tox -e py37-lint + +invalidcode27: stage: lint image: "before-install" needs: [] script: - - tox -e invalidcode + - tox -e py27-invalidcode -# Disabled, waiting for buster -#format-check: -# extends: .lint-stage -# script: -# - black --check --diff +invalidcode37: + stage: lint + image: "before-install" + allow_failure: true + needs: [] + script: + - tox -e py37-invalidcode + +format-check: + stage: lint + image: "before-install" + needs: [] + allow_failure: true + script: + - tox -e py37-black diff --git a/.gitlab/ci/test.gitlab-ci.yml b/.gitlab/ci/test.gitlab-ci.yml index 12379342a..ef21731f3 100644 --- a/.gitlab/ci/test.gitlab-ci.yml +++ b/.gitlab/ci/test.gitlab-ci.yml @@ -1,12 +1,4 @@ .install_debs: &install_debs - - systemctl -q stop apt-daily.timer - - systemctl -q stop apt-daily-upgrade.timer - - systemctl -q stop apt-daily.service - - systemctl -q stop apt-daily-upgrade.service - - systemctl -q disable apt-daily.timer - - systemctl -q disable apt-daily-upgrade.timer - - systemctl -q disable apt-daily.service - - systemctl -q disable apt-daily-upgrade.service - apt-get update -o Acquire::Retries=3 - DEBIAN_FRONTEND=noninteractive SUDO_FORCE_REMOVE=yes apt --assume-yes -o Dpkg::Options::="--force-confold" --allow-downgrades install ./$YNH_BUILD_DIR/*.deb @@ -44,7 +36,7 @@ full-tests: - *install_debs - yunohost tools postinstall -d domain.tld -p the_password --ignore-dyndns script: - - pytest --cov=yunohost tests/ src/yunohost/tests/ --junitxml=report.xml + - python -m pytest --cov=yunohost tests/ src/yunohost/tests/ --junitxml=report.xml needs: - job: build-yunohost artifacts: true @@ -59,70 +51,70 @@ full-tests: root-tests: extends: .test-stage script: - - py.test tests + - python -m pytest tests test-apps: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_apps.py + - python -m pytest tests/test_apps.py test-appscatalog: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_appscatalog.py + - python -m pytest tests/test_appscatalog.py test-appurl: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_appurl.py + - python -m pytest tests/test_appurl.py test-apps-arguments-parsing: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_apps_arguments_parsing.py + - python -m pytest tests/test_apps_arguments_parsing.py test-backuprestore: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_backuprestore.py + - python -m pytest tests/test_backuprestore.py test-changeurl: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_changeurl.py + - python -m pytest tests/test_changeurl.py test-permission: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_permission.py + - python -m pytest tests/test_permission.py test-settings: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_settings.py + - python -m pytest tests/test_settings.py test-user-group: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_user-group.py + - python -m pytest tests/test_user-group.py test-regenconf: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_regenconf.py + - python -m pytest tests/test_regenconf.py test-service: extends: .test-stage script: - cd src/yunohost - - py.test tests/test_service.py + - python -m pytest tests/test_service.py diff --git a/.travis.yml b/.travis.yml index 8674d4d03..9a0f40674 100644 --- a/.travis.yml +++ b/.travis.yml @@ -2,12 +2,18 @@ language: python matrix: allow_failures: - - env: TOXENV=lint + - env: TOXENV=py27-lint + - env: TOXENV=py37-lint + - env: TOXENV=py37-invalidcode include: - python: 2.7 - env: TOXENV=py27 + env: TOXENV=py27-lint - python: 2.7 - env: TOXENV=lint + env: TOXENV=py27-invalidcode + - python: 3.7 + env: TOXENV=py37-lint + - python: 3.7 + env: TOXENV=py37-invalidcode install: - pip install tox diff --git a/data/helpers.d/php b/data/helpers.d/php index 7ff671317..0fe118fde 100644 --- a/data/helpers.d/php +++ b/data/helpers.d/php @@ -1,37 +1,37 @@ #!/bin/bash readonly YNH_DEFAULT_PHP_VERSION=7.3 -# Declare the actual php version to use. -# A packager willing to use another version of php can override the variable into its _common.sh. +# Declare the actual PHP version to use. +# A packager willing to use another version of PHP can override the variable into its _common.sh. YNH_PHP_VERSION=${YNH_PHP_VERSION:-$YNH_DEFAULT_PHP_VERSION} -# Create a dedicated php-fpm config +# Create a dedicated PHP-FPM config # # usage 1: ynh_add_fpm_config [--phpversion=7.X] [--use_template] [--package=packages] [--dedicated_service] -# | arg: -v, --phpversion= - Version of php to use. +# | arg: -v, --phpversion= - Version of PHP to use. # | arg: -t, --use_template - Use this helper in template mode. -# | arg: -p, --package= - Additionnal php packages to install -# | arg: -d, --dedicated_service - Use a dedicated php-fpm service instead of the common one. +# | arg: -p, --package= - Additionnal PHP packages to install +# | arg: -d, --dedicated_service - Use a dedicated PHP-FPM service instead of the common one. # # ----------------------------------------------------------------------------- # # usage 2: ynh_add_fpm_config [--phpversion=7.X] --usage=usage --footprint=footprint [--package=packages] [--dedicated_service] -# | arg: -v, --phpversion= - Version of php to use. +# | arg: -v, --phpversion= - Version of PHP to use. # | arg: -f, --footprint= - Memory footprint of the service (low/medium/high). -# low - Less than 20Mb of ram by pool. -# medium - Between 20Mb and 40Mb of ram by pool. -# high - More than 40Mb of ram by pool. -# Or specify exactly the footprint, the load of the service as Mb by pool instead of having a standard value. +# low - Less than 20 MB of RAM by pool. +# medium - Between 20 MB and 40 MB of RAM by pool. +# high - More than 40 MB of RAM by pool. +# Or specify exactly the footprint, the load of the service as MB by pool instead of having a standard value. # To have this value, use the following command and stress the service. # watch -n0.5 ps -o user,cmd,%cpu,rss -u APP # # | arg: -u, --usage= - Expected usage of the service (low/medium/high). -# low - Personal usage, behind the sso. +# low - Personal usage, behind the SSO. # medium - Low usage, few people or/and publicly accessible. # high - High usage, frequently visited website. # -# | arg: -p, --package= - Additionnal php packages to install for a specific version of php -# | arg: -d, --dedicated_service - Use a dedicated php-fpm service instead of the common one. +# | arg: -p, --package= - Additionnal PHP packages to install for a specific version of PHP +# | arg: -d, --dedicated_service - Use a dedicated PHP-FPM service instead of the common one. # # # The footprint of the service will be used to defined the maximum footprint we can allow, which is half the maximum RAM. @@ -85,7 +85,7 @@ ynh_add_fpm_config () { # Set the default PHP-FPM version by default phpversion="${phpversion:-$YNH_PHP_VERSION}" - # If the requested php version is not the default version for YunoHost + # If the requested PHP version is not the default version for YunoHost if [ "$phpversion" != "$YNH_DEFAULT_PHP_VERSION" ] then # If the argument --package is used, add the packages to ynh_install_php to install them from sury @@ -95,7 +95,7 @@ ynh_add_fpm_config () { else local additionnal_packages="" fi - # Install this specific version of php. + # Install this specific version of PHP. ynh_install_php --phpversion="$phpversion" "$additionnal_packages" elif [ -n "$package" ] then @@ -118,7 +118,7 @@ ynh_add_fpm_config () { fpm_service="php5-fpm" fi - # Create the directory for fpm pools + # Create the directory for FPM pools mkdir --parents "$fpm_config_dir/pool.d" ynh_app_setting_set --app=$app --key=fpm_config_dir --value="$fpm_config_dir" @@ -127,7 +127,7 @@ ynh_add_fpm_config () { ynh_app_setting_set --app=$app --key=phpversion --value=$phpversion finalphpconf="$fpm_config_dir/pool.d/$app.conf" - # Migrate from mutual php service to dedicated one. + # Migrate from mutual PHP service to dedicated one. if [ $dedicated_service -eq 1 ] then local old_fpm_config_dir="/etc/php/$phpversion/fpm" @@ -137,9 +137,9 @@ ynh_add_fpm_config () { ynh_print_info --message="Migrate to a dedicated php-fpm service for $app." # Create a backup of the old file before migration ynh_backup_if_checksum_is_different --file="$old_fpm_config_dir/pool.d/$app.conf" - # Remove the old php config file + # Remove the old PHP config file ynh_secure_remove --file="$old_fpm_config_dir/pool.d/$app.conf" - # Reload php to release the socket and allow the dedicated service to use it + # Reload PHP to release the socket and allow the dedicated service to use it ynh_systemd_action --service_name=php${phpversion}-fpm --action=reload fi fi @@ -151,10 +151,10 @@ ynh_add_fpm_config () { # Usage 1, use the template in conf/php-fpm.conf local phpfpm_path="../conf/php-fpm.conf" if [ ! -e "$phpfpm_path" ]; then - phpfpm_path="../settings/conf/php-fpm.conf" # Into the restore script, the php-fpm template is not at the same place + phpfpm_path="../settings/conf/php-fpm.conf" # Into the restore script, the PHP-FPM template is not at the same place fi # Make sure now that the template indeed exists - [ -e "$phpfpm_path" ] || ynh_die --message="Unable to find template to configure php-fpm." + [ -e "$phpfpm_path" ] || ynh_die --message="Unable to find template to configure PHP-FPM." cp "$phpfpm_path" "$finalphpconf" ynh_replace_string --match_string="__NAMETOCHANGE__" --replace_string="$app" --target_file="$finalphpconf" ynh_replace_string --match_string="__FINALPATH__" --replace_string="$final_path" --target_file="$finalphpconf" @@ -162,13 +162,13 @@ ynh_add_fpm_config () { ynh_replace_string --match_string="__PHPVERSION__" --replace_string="$phpversion" --target_file="$finalphpconf" else - # Usage 2, generate a php-fpm config file with ynh_get_scalable_phpfpm + # Usage 2, generate a PHP-FPM config file with ynh_get_scalable_phpfpm # Store settings ynh_app_setting_set --app=$app --key=fpm_footprint --value=$footprint ynh_app_setting_set --app=$app --key=fpm_usage --value=$usage - # Define the values to use for the configuration of php. + # Define the values to use for the configuration of PHP. ynh_get_scalable_phpfpm --usage=$usage --footprint=$footprint # Copy the default file @@ -181,7 +181,7 @@ ynh_add_fpm_config () { ynh_replace_string --match_string="^group = .*" --replace_string="group = $app" --target_file="$finalphpconf" ynh_replace_string --match_string=".*chdir = .*" --replace_string="chdir = $final_path" --target_file="$finalphpconf" - # Configure fpm children + # Configure FPM children ynh_replace_string --match_string=".*pm = .*" --replace_string="pm = $php_pm" --target_file="$finalphpconf" ynh_replace_string --match_string=".*pm.max_children = .*" --replace_string="pm.max_children = $php_max_children" --target_file="$finalphpconf" ynh_replace_string --match_string=".*pm.max_requests = .*" --replace_string="pm.max_requests = 500" --target_file="$finalphpconf" @@ -238,7 +238,7 @@ ynh_add_fpm_config () { ynh_replace_string --match_string="^[; ]*syslog.ident *=.*" --replace_string="syslog.ident = php-fpm-$app" --target_file="$globalphpconf" ynh_replace_string --match_string="^[; ]*include *=.*" --replace_string="include = $finalphpconf" --target_file="$globalphpconf" - # Create a config for a dedicated php-fpm service for the app + # Create a config for a dedicated PHP-FPM service for the app echo "[Unit] Description=PHP $phpversion FastCGI Process Manager for $app After=network.target @@ -253,7 +253,7 @@ ExecReload=/bin/kill -USR2 \$MAINPID WantedBy=multi-user.target " > ../conf/$fpm_service - # Create this dedicated php-fpm service + # Create this dedicated PHP-FPM service ynh_add_systemd_config --service=$fpm_service --template=$fpm_service # Integrate the service in YunoHost admin panel yunohost service add $fpm_service --log /var/log/php/fpm-php.$app.log --log_type file --description "Php-fpm dedicated to $app" @@ -262,12 +262,12 @@ WantedBy=multi-user.target # Restart the service, as this service is either stopped or only for this app ynh_systemd_action --service_name=$fpm_service --action=restart else - # Reload php, to not impact other parts of the system using php + # Reload PHP, to not impact other parts of the system using PHP ynh_systemd_action --service_name=$fpm_service --action=reload fi } -# Remove the dedicated php-fpm config +# Remove the dedicated PHP-FPM config # # usage: ynh_remove_fpm_config # @@ -277,13 +277,13 @@ ynh_remove_fpm_config () { local fpm_service=$(ynh_app_setting_get --app=$app --key=fpm_service) local dedicated_service=$(ynh_app_setting_get --app=$app --key=fpm_dedicated_service) dedicated_service=${dedicated_service:-0} - # Get the version of php used by this app + # Get the version of PHP used by this app local phpversion=$(ynh_app_setting_get $app phpversion) # Assume default PHP-FPM version by default phpversion="${phpversion:-$YNH_DEFAULT_PHP_VERSION}" - # Assume default php files if not set + # Assume default PHP files if not set if [ -z "$fpm_config_dir" ] then fpm_config_dir="/etc/php/$YNH_DEFAULT_PHP_VERSION/fpm" @@ -292,11 +292,11 @@ ynh_remove_fpm_config () { if [ $dedicated_service -eq 1 ] then - # Remove the dedicated service php-fpm service for the app + # Remove the dedicated service PHP-FPM service for the app ynh_remove_systemd_config --service=$fpm_service - # Remove the global php-fpm conf + # Remove the global PHP-FPM conf ynh_secure_remove --file="$fpm_config_dir/php-fpm-$app.conf" - # Remove the service from the list of services known by Yunohost + # Remove the service from the list of services known by YunoHost yunohost service remove $fpm_service elif ynh_package_is_installed --package="php${phpversion}-fpm"; then ynh_systemd_action --service_name=$fpm_service --action=reload @@ -308,21 +308,21 @@ ynh_remove_fpm_config () { ynh_secure_remove --file="$fpm_config_dir/conf.d/20-$app.ini" fi - # If the php version used is not the default version for YunoHost + # If the PHP version used is not the default version for YunoHost if [ "$phpversion" != "$YNH_DEFAULT_PHP_VERSION" ] then - # Remove this specific version of php + # Remove this specific version of PHP ynh_remove_php fi } -# Install another version of php. +# Install another version of PHP. # # [internal] # # usage: ynh_install_php --phpversion=phpversion [--package=packages] -# | arg: -v, --phpversion= - Version of php to install. -# | arg: -p, --package= - Additionnal php packages to install +# | arg: -v, --phpversion= - Version of PHP to install. +# | arg: -p, --package= - Additionnal PHP packages to install # # Requires YunoHost version 3.8.1 or higher. ynh_install_php () { @@ -349,7 +349,7 @@ ynh_install_php () { # Do not add twice the same line if ! grep --quiet "$YNH_APP_INSTANCE_NAME:" "/etc/php/ynh_app_version" then - # Store the ID of this app and the version of php requested for it + # Store the ID of this app and the version of PHP requested for it echo "$YNH_APP_INSTANCE_NAME:$phpversion" | tee --append "/etc/php/ynh_app_version" fi @@ -357,11 +357,11 @@ ynh_install_php () { ynh_install_extra_repo --repo="https://packages.sury.org/php/ $(ynh_get_debian_release) main" --key="https://packages.sury.org/php/apt.gpg" --priority=995 --name=extra_php_version --priority=600 # Install requested dependencies from this extra repository. - # Install php-fpm first, otherwise php will install apache as a dependency. + # Install PHP-FPM first, otherwise PHP will install apache as a dependency. ynh_add_app_dependencies --package="php${phpversion}-fpm" ynh_add_app_dependencies --package="php$phpversion php${phpversion}-common $package" - # Set the default php version back as the default version for php-cli. + # Set the default PHP version back as the default version for php-cli. update-alternatives --set php /usr/bin/php$YNH_DEFAULT_PHP_VERSION # Pin this extra repository after packages are installed to prevent sury of doing shit @@ -374,7 +374,7 @@ ynh_install_php () { yunohost service add php${phpversion}-fpm --log "/var/log/php${phpversion}-fpm.log" } -# Remove the specific version of php used by the app. +# Remove the specific version of PHP used by the app. # # [internal] # @@ -382,7 +382,7 @@ ynh_install_php () { # # Requires YunoHost version 3.8.1 or higher. ynh_remove_php () { - # Get the version of php used by this app + # Get the version of PHP used by this app local phpversion=$(ynh_app_setting_get $app phpversion) if [ "$phpversion" == "$YNH_DEFAULT_PHP_VERSION" ] || [ -z "$phpversion" ] @@ -400,7 +400,7 @@ ynh_remove_php () { # Remove the line for this app sed --in-place "/$YNH_APP_INSTANCE_NAME:$phpversion/d" "/etc/php/ynh_app_version" - # If no other app uses this version of php, remove it. + # If no other app uses this version of PHP, remove it. if ! grep --quiet "$phpversion" "/etc/php/ynh_app_version" then # Remove the service from the admin panel @@ -408,26 +408,26 @@ ynh_remove_php () { yunohost service remove php${phpversion}-fpm fi - # Purge php dependencies for this version. + # Purge PHP dependencies for this version. ynh_package_autopurge "php$phpversion php${phpversion}-fpm php${phpversion}-common" fi } -# Define the values to configure php-fpm +# Define the values to configure PHP-FPM # # [internal] # # usage: ynh_get_scalable_phpfpm --usage=usage --footprint=footprint [--print] # | arg: -f, --footprint= - Memory footprint of the service (low/medium/high). -# low - Less than 20Mb of ram by pool. -# medium - Between 20Mb and 40Mb of ram by pool. -# high - More than 40Mb of ram by pool. -# Or specify exactly the footprint, the load of the service as Mb by pool instead of having a standard value. +# low - Less than 20 MB of RAM by pool. +# medium - Between 20 MB and 40 MB of RAM by pool. +# high - More than 40 MB of RAM by pool. +# Or specify exactly the footprint, the load of the service as MB by pool instead of having a standard value. # To have this value, use the following command and stress the service. # watch -n0.5 ps -o user,cmd,%cpu,rss -u APP # # | arg: -u, --usage= - Expected usage of the service (low/medium/high). -# low - Personal usage, behind the sso. +# low - Personal usage, behind the SSO. # medium - Low usage, few people or/and publicly accessible. # high - High usage, frequently visited website. # @@ -498,7 +498,7 @@ ynh_get_scalable_phpfpm () { # Define pm.max_children # The value of pm.max_children is the total amount of ram divide by 2 and divide again by the footprint of a pool for this app. - # So if php-fpm start the maximum of children, it won't exceed half of the ram. + # So if PHP-FPM start the maximum of children, it won't exceed half of the ram. php_max_children=$(( $max_ram / 2 / $footprint )) # If process manager is set as static, use half less children. # Used as static, there's always as many children as the value of pm.max_children diff --git a/data/hooks/conf_regen/31-rspamd b/data/hooks/conf_regen/31-rspamd index 6da4af643..87ed722a7 100755 --- a/data/hooks/conf_regen/31-rspamd +++ b/data/hooks/conf_regen/31-rspamd @@ -42,7 +42,7 @@ do_post_regen() { chown _rspamd /etc/dkim/*.mail.key chmod 400 /etc/dkim/*.mail.key - [ ! -e /var/log/rspamd ] || chown _rspamd:_rspamd /var/log/rspamd + [ ! -e /var/log/rspamd ] || chown -R _rspamd:_rspamd /var/log/rspamd regen_conf_files=$1 [ -z "$regen_conf_files" ] && exit 0 diff --git a/data/templates/dovecot/dovecot.conf b/data/templates/dovecot/dovecot.conf index d64b15356..2e17ff163 100644 --- a/data/templates/dovecot/dovecot.conf +++ b/data/templates/dovecot/dovecot.conf @@ -14,14 +14,17 @@ mail_plugins = $mail_plugins quota ############################################################################### -# generated 2020-05-02, Mozilla Guideline v5.4, Dovecot 2.3.4.1, OpenSSL 1.1.1d, intermediate configuration -# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.4.1&config=intermediate&openssl=1.1.1d&guideline=5.4 +# generated 2020-08-18, Mozilla Guideline v5.6, Dovecot 2.3.4, OpenSSL 1.1.1d, intermediate configuration +# https://ssl-config.mozilla.org/#server=dovecot&version=2.3.4&config=intermediate&openssl=1.1.1d&guideline=5.6 ssl = required ssl_cert = /path/to/dhparam +ssl_dh = /usr/share/yunohost/other/ffdhe2048.pem; + # intermediate configuration ssl_min_protocol = TLSv1.2 ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 diff --git a/data/templates/postfix/main.cf b/data/templates/postfix/main.cf index 18e457a76..b4b645138 100644 --- a/data/templates/postfix/main.cf +++ b/data/templates/postfix/main.cf @@ -19,34 +19,35 @@ readme_directory = no # -- TLS for incoming connections ############################################################################### -# generated 2020-04-03, Mozilla Guideline v5.4, Postfix 3.1.14, OpenSSL 1.1.0l, intermediate configuration -# https://ssl-config.mozilla.org/#server=postfix&version=3.1.14&config=intermediate&openssl=1.1.0l&guideline=5.4 - -# (No modern conf support until we're on buster...) -# {% if compatibility == "intermediate" %} {% else %} {% endif %} - smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/yunohost/certs/{{ main_domain }}/crt.pem smtpd_tls_key_file = /etc/yunohost/certs/{{ main_domain }}/key.pem + +{% if compatibility == "intermediate" %} +# generated 2020-08-18, Mozilla Guideline v5.6, Postfix 3.4.14, OpenSSL 1.1.1d, intermediate configuration +# https://ssl-config.mozilla.org/#server=postfix&version=3.4.14&config=intermediate&openssl=1.1.1d&guideline=5.6 + smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 -# smtpd_tls_mandatory_ciphers = medium # (c.f. below) +smtpd_tls_mandatory_ciphers = medium # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem # not actually 1024 bits, this applies to all DHE >= 1024 bits -# smtpd_tls_dh1024_param_file = /path/to/dhparam.pem +smtpd_tls_dh1024_param_file = /usr/share/yunohost/other/ffdhe2048.pem; + +tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +{% else %} +# generated 2020-08-18, Mozilla Guideline v5.6, Postfix 3.4.14, OpenSSL 1.1.1d, modern configuration +# https://ssl-config.mozilla.org/#server=postfix&version=3.4.14&config=modern&openssl=1.1.1d&guideline=5.6 + +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2 +smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1, !TLSv1.2 +{% endif %} -# This custom medium cipherlist recommendation only works if we have a DH ... which we don't, c.f. https://github.com/YunoHost/issues/issues/93 -# On the other hand, the postfix doc strongly discourage tweaking this list ... So whatever, let's keep the mandatory_ciphers to high like we did before applying the Mozilla recommendation ... -#tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 tls_preempt_cipherlist = no - -# Custom Yunohost stuff ... because we can't use the recommendation about medium cipher list ... -smtpd_tls_mandatory_ciphers=high -smtpd_tls_eecdh_grade = ultra ############################################################################### smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_loglevel=1 diff --git a/debian/changelog b/debian/changelog index 0fc8ef27b..92d5b6410 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +yunohost (4.0.5) testing; urgency=low + + - [enh] Update postfix, dovecot, nginx configuration according to Mozilla guidelines (Buster + DH params) (f3a4334a, 89bcf1ba, 2d661737) + - [enh] Update acme_tiny to 4.1.0 (#1037) + - [fix] ref to variable in i18n string (c.f. issue 1647) (7b1f02e0) + - [fix] Recursively enforce ownership for rspamd (8454f2ec) + - [fix] Stupid encoding issue when fetching service description (6ec0e7b6) + - [fix] Misc fixes for CI (ca0a42f2, 485c65a9, #1038, a891d20a) + + Thanks to all contributors <3 ! (Eric G., Kay0u) + + -- Alexandre Aubin Tue, 25 Aug 2020 19:32:27 +0200 + yunohost (4.0.4) stable; urgency=low - Debugging and robustness improvements for postgresql 9.6 -> 11 and xtables->nftables migrations (accc2da4, 59bd7d66, 4cb6f7fd, 4b14402c) diff --git a/src/yunohost/service.py b/src/yunohost/service.py index 2eeb078bc..522395718 100644 --- a/src/yunohost/service.py +++ b/src/yunohost/service.py @@ -346,16 +346,20 @@ def _get_and_format_service_status(service, infos): 'configuration': "unknown", } - translation_key = "service_description_%s" % service + # Try to get description directly from services.yml description = infos.get("description") + + # If no description was there, try to get it from the .json locales if not description: + translation_key = "service_description_%s" % service description = m18n.n(translation_key) - # that mean that we don't have a translation for this string - # that's the only way to test for that for now - # if we don't have it, uses the one provided by systemd - if description.decode('utf-8') == translation_key: - description = str(raw_status.get("Description", "")) + # If descrption is still equal to the translation key, + # that mean that we don't have a translation for this string + # that's the only way to test for that for now + # if we don't have it, uses the one provided by systemd + if description.decode('utf-8') == translation_key: + description = str(raw_status.get("Description", "")) output = { 'status': str(raw_status.get("SubState", "unknown")), diff --git a/src/yunohost/vendor/acme_tiny/acme_tiny.py b/src/yunohost/vendor/acme_tiny/acme_tiny.py index ba04e37ad..6d1d085c6 100644 --- a/src/yunohost/vendor/acme_tiny/acme_tiny.py +++ b/src/yunohost/vendor/acme_tiny/acme_tiny.py @@ -48,7 +48,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA, disable_check # helper function - make signed requests def _send_signed_request(url, payload, err_msg, depth=0): - payload64 = _b64(json.dumps(payload).encode('utf8')) + payload64 = "" if payload is None else _b64(json.dumps(payload).encode('utf8')) new_nonce = _do_request(directory['newNonce'])[2]['Replay-Nonce'] protected = {"url": url, "alg": alg, "nonce": new_nonce} protected.update({"jwk": jwk} if acct_headers is None else {"kid": acct_headers['Location']}) @@ -63,12 +63,12 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA, disable_check # helper function - poll until complete def _poll_until_not(url, pending_statuses, err_msg): - while True: - result, _, _ = _do_request(url, err_msg=err_msg) - if result['status'] in pending_statuses: - time.sleep(2) - continue - return result + result, t0 = None, time.time() + while result is None or result['status'] in pending_statuses: + assert (time.time() - t0 < 3600), "Polling timeout" # 1 hour timeout + time.sleep(0 if result is None else 2) + result, _, _ = _send_signed_request(url, None, err_msg) + return result # parse account key to get public key log.info("Parsing account key...") @@ -93,7 +93,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA, disable_check common_name = re.search(r"Subject:.*? CN\s?=\s?([^\s,;/]+)", out.decode('utf8')) if common_name is not None: domains.add(common_name.group(1)) - subject_alt_names = re.search(r"X509v3 Subject Alternative Name: \n +([^\n]+)\n", out.decode('utf8'), re.MULTILINE|re.DOTALL) + subject_alt_names = re.search(r"X509v3 Subject Alternative Name: (?:critical)?\n +([^\n]+)\n", out.decode('utf8'), re.MULTILINE|re.DOTALL) if subject_alt_names is not None: for san in subject_alt_names.group(1).split(", "): if san.startswith("DNS:"): @@ -123,7 +123,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA, disable_check # get the authorizations that need to be completed for auth_url in order['authorizations']: - authorization, _, _ = _do_request(auth_url, err_msg="Error getting challenges") + authorization, _, _ = _send_signed_request(auth_url, None, "Error getting challenges") domain = authorization['identifier']['value'] log.info("Verifying {0}...".format(domain)) @@ -138,9 +138,8 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA, disable_check # check that the file is in place try: wellknown_url = "http://{0}/.well-known/acme-challenge/{1}".format(domain, token) - assert(disable_check or _do_request(wellknown_url)[0] == keyauthorization) + assert (disable_check or _do_request(wellknown_url)[0] == keyauthorization) except (AssertionError, ValueError) as e: - os.remove(wellknown_path) raise ValueError("Wrote file to {0}, but couldn't download {1}: {2}".format(wellknown_path, wellknown_url, e)) # say the challenge is done @@ -148,6 +147,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA, disable_check authorization = _poll_until_not(auth_url, ["pending"], "Error checking challenge status for {0}".format(domain)) if authorization['status'] != "valid": raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization)) + os.remove(wellknown_path) log.info("{0} verified!".format(domain)) # finalize the order with the csr @@ -161,7 +161,7 @@ def get_crt(account_key, csr, acme_dir, log=LOGGER, CA=DEFAULT_CA, disable_check raise ValueError("Order failed: {0}".format(order)) # download the certificate - certificate_pem, _, _ = _do_request(order['certificate'], err_msg="Certificate download failed") + certificate_pem, _, _ = _send_signed_request(order['certificate'], None, "Certificate download failed") log.info("Certificate signed!") return certificate_pem diff --git a/tox.ini b/tox.ini index 4598ad3d3..0c0b01a5e 100644 --- a/tox.ini +++ b/tox.ini @@ -1,25 +1,12 @@ [tox] -envlist = - py27 - lint -skipdist = True +envlist = py{27,37}-{lint,invalidcode},py37-black [testenv] skip_install=True deps = - pytest >= 4.6.3, < 5.0 - pyyaml >= 5.1.2, < 6.0 - flake8 >= 3.7.9, < 3.8 - urllib3 + py{27,37}-{lint,invalidcode}: flake8 + py37-black: black commands = - pytest {posargs} - -[testenv:lint] -skip_install=True -commands = flake8 src doc data tests -deps = flake8 - -[testenv:invalidcode] -skip_install=True -commands = flake8 src data --exclude src/yunohost/tests --select F --ignore F401,F841 -deps = flake8 + py{27,37}-lint: flake8 src doc data tests + py{27,37}-invalidcode: flake8 src data --exclude src/yunohost/tests --select F --ignore F401,F841 + py37-black: black --check --diff src doc data tests \ No newline at end of file