YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'origin/enh-global-settings-configpanel' into ip_pool

Browse source
This commit is contained in:
theo@manjaro 2022-06-28 13:38:08 +02:00
commit 6f282b2bcf
23 changed files with 591 additions and 507 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
conf/postfix/main.cf
View file

@ -81,7 +81,7 @@ alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydomain = {{ main_domain }}
mydestination = localhost
{% if relay_host == "" %}
{% if relay_enabled != "True" %}
relayhost =
{% else %}
relayhost = [{{ relay_host }}]:{{ relay_port }}
@ -198,7 +198,7 @@ smtpd_client_recipient_rate_limit=150
# and after to send spam
disable_vrfy_command = yes
{% if relay_user != "" %}
{% if relay_enabled == "True" %}
# Relay email through an other smtp account
# enable SASL authentication
smtp_sasl_auth_enable = yes

4
conf/ssh/sshd_config
View file

@ -3,7 +3,7 @@
Protocol 2
# PLEASE: if you wish to change the ssh port properly in YunoHost, use this command:
# yunohost settings set security.ssh.port -v <port>
# yunohost settings set security.ssh.ssh_port -v <port>
Port {{ port }}
{% if ipv6_enabled == "true" %}ListenAddress ::{% endif %}
@ -56,7 +56,7 @@ ChallengeResponseAuthentication no
UsePAM yes
# PLEASE: if you wish to force everybody to authenticate using ssh keys, run this command:
# yunohost settings set security.ssh.password_authentication -v no
# yunohost settings set security.ssh.ssh_password_authentication -v no
{% if password_authentication == "False" %}
PasswordAuthentication no
{% else %}

2
hooks/backup/20-conf_ynh_settings
View file

@ -13,6 +13,6 @@ backup_dir="${1}/conf/ynh"
ynh_backup "/etc/yunohost/firewall.yml" "${backup_dir}/firewall.yml"
ynh_backup "/etc/yunohost/current_host" "${backup_dir}/current_host"
[ ! -d "/etc/yunohost/domains" ] || ynh_backup "/etc/yunohost/domains" "${backup_dir}/domains"
[ ! -e "/etc/yunohost/settings.json" ] || ynh_backup "/etc/yunohost/settings.json" "${backup_dir}/settings.json"
[ ! -e "/etc/yunohost/settings.yml" ] || ynh_backup "/etc/yunohost/settings.yml" "${backup_dir}/settings.yml"
[ ! -d "/etc/yunohost/dyndns" ] || ynh_backup "/etc/yunohost/dyndns" "${backup_dir}/dyndns"
[ ! -d "/etc/dkim" ] || ynh_backup "/etc/dkim" "${backup_dir}/dkim"

8
hooks/conf_regen/03-ssh
View file

@ -15,14 +15,14 @@ do_pre_regen() {
ssh_keys=$(ls /etc/ssh/ssh_host_{ed25519,rsa,ecdsa}_key 2>/dev/null || true)
# Support legacy setting (this setting might be disabled by a user during a migration)
if [[ "$(yunohost settings get 'service.ssh.allow_deprecated_dsa_hostkey')" == "True" ]]; then
if [[ "$(yunohost settings get 'security.ssh.ssh_allow_deprecated_dsa_hostkey')" == "True" ]]; then
ssh_keys="$ssh_keys $(ls /etc/ssh/ssh_host_dsa_key 2>/dev/null || true)"
fi
# Support different strategy for security configurations
export compatibility="$(yunohost settings get 'security.ssh.compatibility')"
export port="$(yunohost settings get 'security.ssh.port')"
export password_authentication="$(yunohost settings get 'security.ssh.password_authentication')"
export compatibility="$(yunohost settings get 'security.ssh.ssh_compatibility')"
export port="$(yunohost settings get 'security.ssh.ssh_port')"
export password_authentication="$(yunohost settings get 'security.ssh.ssh_password_authentication')"
export ssh_keys
export ipv6_enabled
ynh_render_template "sshd_config" "${pending_dir}/etc/ssh/sshd_config"

12
hooks/conf_regen/15-nginx
View file

@ -56,7 +56,7 @@ do_pre_regen() {
# install / update plain conf files
cp plain/* "$nginx_conf_dir"
# remove the panel overlay if this is specified in settings
panel_overlay=$(yunohost settings get 'ssowat.panel_overlay.enabled')
panel_overlay=$(yunohost settings get 'misc.ssowat.ssowat_panel_overlay_enabled')
if [ "$panel_overlay" == "false" ] || [ "$panel_overlay" == "False" ]; then
echo "#" >"${nginx_conf_dir}/yunohost_panel.conf.inc"
fi
@ -65,9 +65,9 @@ do_pre_regen() {
main_domain=$(cat /etc/yunohost/current_host)
# Support different strategy for security configurations
export redirect_to_https="$(yunohost settings get 'security.nginx.redirect_to_https')"
export compatibility="$(yunohost settings get 'security.nginx.compatibility')"
export experimental="$(yunohost settings get 'security.experimental.enabled')"
export redirect_to_https="$(yunohost settings get 'security.nginx.nginx_redirect_to_https')"
export compatibility="$(yunohost settings get 'security.nginx.nginx_compatibility')"
export experimental="$(yunohost settings get 'security.experimental.security_experimental_enabled')"
ynh_render_template "security.conf.inc" "${nginx_conf_dir}/security.conf.inc"
cert_status=$(yunohost domain cert status --json)
@ -92,9 +92,9 @@ do_pre_regen() {
done
export webadmin_allowlist_enabled=$(yunohost settings get security.webadmin.allowlist.enabled)
export webadmin_allowlist_enabled=$(yunohost settings get security.webadmin.webadmin_allowlist_enabled)
if [ "$webadmin_allowlist_enabled" == "True" ]; then
export webadmin_allowlist=$(yunohost settings get security.webadmin.allowlist)
export webadmin_allowlist=$(yunohost settings get security.webadmin.webadmin_allowlist)
fi
ynh_render_template "yunohost_admin.conf.inc" "${nginx_conf_dir}/yunohost_admin.conf.inc"
ynh_render_template "yunohost_api.conf.inc" "${nginx_conf_dir}/yunohost_api.conf.inc"

16
hooks/conf_regen/19-postfix
View file

@ -22,17 +22,19 @@ do_pre_regen() {
main_domain=$(cat /etc/yunohost/current_host)
# Support different strategy for security configurations
export compatibility="$(yunohost settings get 'security.postfix.compatibility')"
export compatibility="$(yunohost settings get 'security.postfix.postfix_compatibility')"
# Add possibility to specify a relay
# Could be useful with some isp with no 25 port open or more complex setup
export relay_port=""
export relay_user=""
export relay_host="$(yunohost settings get 'smtp.relay.host')"
if [ -n "${relay_host}" ]; then
relay_port="$(yunohost settings get 'smtp.relay.port')"
relay_user="$(yunohost settings get 'smtp.relay.user')"
relay_password="$(yunohost settings get 'smtp.relay.password')"
export relay_host=""
export relay_enabled="$(yunohost settings get 'email.smtp.smtp_relay_enabled')"
if [ "${relay_enabled}" == "True" ]; then
relay_host="$(yunohost settings get 'email.smtp.smtp_relay_host')"
relay_port="$(yunohost settings get 'email.smtp.smtp_relay_port')"
relay_user="$(yunohost settings get 'email.smtp.smtp_relay_user')"
relay_password="$(yunohost settings get 'email.smtp.smtp_relay_password')"
# Avoid to display "Relay account paswword" to other users
touch ${postfix_dir}/sasl_passwd
@ -54,7 +56,7 @@ do_pre_regen() {
>"${default_dir}/postsrsd"
# adapt it for IPv4-only hosts
ipv6="$(yunohost settings get 'smtp.allow_ipv6')"
ipv6="$(yunohost settings get 'email.smtp.smtp_allow_ipv6')"
if [ "$ipv6" == "False" ] || [ ! -f /proc/net/if_inet6 ]; then
sed -i \
's/ \[::ffff:127.0.0.0\]\/104 \[::1\]\/128//g' \

2
hooks/conf_regen/25-dovecot
View file

@ -16,7 +16,7 @@ do_pre_regen() {
cp dovecot-ldap.conf "${dovecot_dir}/dovecot-ldap.conf"
cp dovecot.sieve "${dovecot_dir}/global_script/dovecot.sieve"
export pop3_enabled="$(yunohost settings get 'pop3.enabled')"
export pop3_enabled="$(yunohost settings get 'email.pop3.pop3_enabled')"
export main_domain=$(cat /etc/yunohost/current_host)
export domain_list="$YNH_DOMAINS"

2
hooks/conf_regen/52-fail2ban
View file

@ -16,7 +16,7 @@ do_pre_regen() {
cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
cp jail.conf "${fail2ban_dir}/jail.conf"
export ssh_port="$(yunohost settings get 'security.ssh.port')"
export ssh_port="$(yunohost settings get 'security.ssh.ssh_port')"
ynh_render_template "yunohost-jails.conf" "${fail2ban_dir}/jail.d/yunohost-jails.conf"
}

2
hooks/restore/20-conf_ynh_settings
View file

@ -3,6 +3,6 @@ backup_dir="$1/conf/ynh"
cp -a "${backup_dir}/current_host" /etc/yunohost/current_host
cp -a "${backup_dir}/firewall.yml" /etc/yunohost/firewall.yml
[ ! -d "${backup_dir}/domains" ] || cp -a "${backup_dir}/domains" /etc/yunohost/domains
[ ! -e "${backup_dir}/settings.json" ] || cp -a "${backup_dir}/settings.json" "/etc/yunohost/settings.json"
[ ! -e "${backup_dir}/settings.yml" ] || cp -a "${backup_dir}/settings.yml" "/etc/yunohost/settings.yml"
[ ! -d "${backup_dir}/dyndns" ] || cp -raT "${backup_dir}/dyndns" "/etc/yunohost/dyndns"
[ ! -d "${backup_dir}/dkim" ] || cp -raT "${backup_dir}/dkim" "/etc/dkim"

71
locales/en.json
View file

@ -251,7 +251,7 @@
"diagnosis_mail_fcrdns_different_from_ehlo_domain_details": "Current reverse DNS: <code>{rdns_domain}</code><br>Expected value: <code>{ehlo_domain}</code>",
"diagnosis_mail_fcrdns_dns_missing": "No reverse DNS is defined in IPv{ipversion}. Some emails may fail to get delivered or may get flagged as spam.",
"diagnosis_mail_fcrdns_nok_alternatives_4": "Some providers won't let you configure your reverse DNS (or their feature might be broken...). If you are experiencing issues because of this, consider the following solutions:<br> - Some ISP provide the alternative of <a href='https://yunohost.org/#/email_configure_relay'>using a mail server relay</a> though it implies that the relay will be able to spy on your email traffic.<br>- A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See <a href='https://yunohost.org/#/vpn_advantage'>https://yunohost.org/#/vpn_advantage</a><br>- Or it's possible to <a href='https://yunohost.org/#/isp'>switch to a different provider</a>",
"diagnosis_mail_fcrdns_nok_alternatives_6": "Some providers won't let you configure your reverse DNS (or their feature might be broken...). If your reverse DNS is correctly configured for IPv4, you can try disabling the use of IPv6 when sending emails by running <cmd>yunohost settings set smtp.allow_ipv6 -v off</cmd>. Note: this last solution means that you won't be able to send or receive emails from the few IPv6-only servers out there.",
"diagnosis_mail_fcrdns_nok_alternatives_6": "Some providers won't let you configure your reverse DNS (or their feature might be broken...). If your reverse DNS is correctly configured for IPv4, you can try disabling the use of IPv6 when sending emails by running <cmd>yunohost settings set email.smtp.smtp_allow_ipv6 -v off</cmd>. Note: this last solution means that you won't be able to send or receive emails from the few IPv6-only servers out there.",
"diagnosis_mail_fcrdns_nok_details": "You should first try to configure the reverse DNS with <code>{ehlo_domain}</code> in your internet router interface or your hosting provider interface. (Some hosting provider may require you to send them a support ticket for this).",
"diagnosis_mail_fcrdns_ok": "Your reverse DNS is correctly configured!",
"diagnosis_mail_outgoing_port_25_blocked": "The SMTP mail server cannot send emails to other servers because outgoing port 25 is blocked in IPv{ipversion}.",
@ -288,8 +288,8 @@
"diagnosis_services_bad_status_tip": "You can try to <a href='#/services/{service}'>restart the service</a>, and if it doesn't work, have a look at <a href='#/services/{service}'>the service logs in the webadmin</a> (from the command line, you can do this with <cmd>yunohost service restart {service}</cmd> and <cmd>yunohost service log {service}</cmd>).",
"diagnosis_services_conf_broken": "Configuration is broken for service {service}!",
"diagnosis_services_running": "Service {service} is running!",
"diagnosis_sshd_config_inconsistent": "It looks like the SSH port was manually modified in /etc/ssh/sshd_config. Since YunoHost 4.2, a new global setting 'security.ssh.port' is available to avoid manually editing the configuration.",
"diagnosis_sshd_config_inconsistent_details": "Please run <cmd>yunohost settings set security.ssh.port -v YOUR_SSH_PORT</cmd> to define the SSH port, and check <cmd>yunohost tools regen-conf ssh --dry-run --with-diff</cmd> and <cmd>yunohost tools regen-conf ssh --force</cmd> to reset your conf to the YunoHost recommendation.",
"diagnosis_sshd_config_inconsistent": "It looks like the SSH port was manually modified in /etc/ssh/sshd_config. Since YunoHost 4.2, a new global setting 'security.ssh.ssh_port' is available to avoid manually editing the configuration.",
"diagnosis_sshd_config_inconsistent_details": "Please run <cmd>yunohost settings set security.ssh.ssh_port -v YOUR_SSH_PORT</cmd> to define the SSH port, and check <cmd>yunohost tools regen-conf ssh --dry-run --with-diff</cmd> and <cmd>yunohost tools regen-conf ssh --force</cmd> to reset your conf to the YunoHost recommendation.",
"diagnosis_sshd_config_insecure": "The SSH configuration appears to have been manually modified, and is insecure because it contains no 'AllowGroups' or 'AllowUsers' directive to limit access to authorized users.",
"diagnosis_swap_none": "The system has no swap at all. You should consider adding at least {recommended} of swap to avoid situations where the system runs out of memory.",
"diagnosis_swap_notsomuch": "The system has only {total} swap. You should consider having at least {recommended} to avoid situations where the system runs out of memory.",
@ -367,33 +367,41 @@
"firewall_reload_failed": "Could not reload the firewall",
"firewall_reloaded": "Firewall reloaded",
"firewall_rules_cmd_failed": "Some firewall rule commands have failed. More info in log.",
"global_settings_bad_choice_for_enum": "Bad choice for setting {setting}, received '{choice}', but available choices are: {available_choices}",
"global_settings_bad_type_for_setting": "Bad type for setting {setting}, received {received_type}, expected {expected_type}",
"global_settings_cant_open_settings": "Could not open settings file, reason: {reason}",
"global_settings_cant_serialize_settings": "Could not serialize settings data, reason: {reason}",
"global_settings_cant_write_settings": "Could not save settings file, reason: {reason}",
"global_settings_key_doesnt_exists": "The key '{settings_key}' does not exist in the global settings, you can see all the available keys by running 'yunohost settings list'",
"global_settings_reset_success": "Previous settings now backed up to {path}",
"global_settings_setting_backup_compress_tar_archives": "When creating new backups, compress the archives (.tar.gz) instead of uncompressed archives (.tar). N.B. : enabling this option means create lighter backup archives, but the initial backup procedure will be significantly longer and heavy on CPU.",
"global_settings_setting_pop3_enabled": "Enable the POP3 protocol for the mail server",
"global_settings_setting_security_experimental_enabled": "Enable experimental security features (don't enable this if you don't know what you're doing!)",
"global_settings_setting_security_nginx_compatibility": "Compatibility vs. security tradeoff for the web server NGINX. Affects the ciphers (and other security-related aspects)",
"global_settings_setting_security_nginx_redirect_to_https": "Redirect HTTP requests to HTTPs by default (DO NOT TURN OFF unless you really know what you're doing!)",
"global_settings_setting_security_password_admin_strength": "Admin password strength",
"global_settings_setting_security_password_user_strength": "User password strength",
"global_settings_setting_security_postfix_compatibility": "Compatibility vs. security tradeoff for the Postfix server. Affects the ciphers (and other security-related aspects)",
"global_settings_setting_security_ssh_compatibility": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
"global_settings_setting_security_ssh_password_authentication": "Allow password authentication for SSH",
"global_settings_setting_security_ssh_port": "SSH port",
"global_settings_setting_security_webadmin_allowlist": "IP adresses allowed to access the webadmin. Comma-separated.",
"global_settings_setting_security_webadmin_allowlist_enabled": "Allow only some IPs to access the webadmin.",
"global_settings_setting_service_ssh_allow_deprecated_dsa_hostkey": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration",
"global_settings_setting_smtp_allow_ipv6": "Allow the use of IPv6 to receive and send mail",
"global_settings_setting_smtp_relay_host": "SMTP relay host to use in order to send mail instead of this yunohost instance. Useful if you are in one of this situation: your 25 port is blocked by your ISP or VPS provider, you have a residential IP listed on DUHL, you are not able to configure reverse DNS or this server is not directly exposed on the internet and you want use an other one to send mails.",
"global_settings_setting_smtp_relay_password": "SMTP relay host password",
"global_settings_setting_smtp_relay_port": "SMTP relay port",
"global_settings_setting_smtp_relay_user": "SMTP relay user account",
"global_settings_setting_ssowat_panel_overlay_enabled": "Enable SSOwat panel overlay",
"global_settings_reset_success": "Reset global settings",
"global_settings_setting_admin_strength": "Admin password strength",
"global_settings_setting_backup_compress_tar_archives": "Compress backups",
"global_settings_setting_backup_compress_tar_archives_help": "When creating new backups, compress the archives (.tar.gz) instead of uncompressed archives (.tar). N.B. : enabling this option means create lighter backup archives, but the initial backup procedure will be significantly longer and heavy on CPU.",
"global_settings_setting_nginx_compatibility": "Compatibility",
"global_settings_setting_nginx_compatibility_help": "Compatibility vs. security tradeoff for the web server NGINX. Affects the ciphers (and other security-related aspects)",
"global_settings_setting_nginx_redirect_to_https": "Force HTTPS",
"global_settings_setting_nginx_redirect_to_https_help": "Redirect HTTP requests to HTTPs by default (DO NOT TURN OFF unless you really know what you're doing!)",
"global_settings_setting_pop3_enabled": "Enable POP3",
"global_settings_setting_pop3_enabled_help": "Enable the POP3 protocol for the mail server",
"global_settings_setting_postfix_compatibility": "Compatibility",
"global_settings_setting_postfix_compatibility_help": "Compatibility vs. security tradeoff for the Postfix server. Affects the ciphers (and other security-related aspects)",
"global_settings_setting_security_experimental_enabled": "Experimental security features",
"global_settings_setting_security_experimental_enabled_help": "Enable experimental security features (don't enable this if you don't know what you're doing!)",
"global_settings_setting_smtp_allow_ipv6": "Allow IPv6",
"global_settings_setting_smtp_allow_ipv6_help": "Allow the use of IPv6 to receive and send mail",
"global_settings_setting_smtp_relay_enabled": "Enable SMTP relay",
"global_settings_setting_smtp_relay_enabled_help": "Enable the SMTP relay to use in order to send mail instead of this yunohost instance. Useful if you are in one of this situation: your 25 port is blocked by your ISP or VPS provider, you have a residential IP listed on DUHL, you are not able to configure reverse DNS or this server is not directly exposed on the internet and you want use an other one to send mails.",
"global_settings_setting_smtp_relay_host": "Relay host",
"global_settings_setting_smtp_relay_password": "Relay password",
"global_settings_setting_smtp_relay_port": "Relay port",
"global_settings_setting_smtp_relay_user": "Relay user",
"global_settings_setting_ssh_allow_deprecated_dsa_hostkey": "Allow DSA hostkey",
"global_settings_setting_ssh_allow_deprecated_dsa_hostkey_help": "Allow the use of (deprecated) DSA hostkey for the SSH daemon configuration",
"global_settings_setting_ssh_compatibility": "Compatibility",
"global_settings_setting_ssh_compatibility_help": "Compatibility vs. security tradeoff for the SSH server. Affects the ciphers (and other security-related aspects)",
"global_settings_setting_ssh_password_authentication": "Password authentication",
"global_settings_setting_ssh_password_authentication_help": "Allow password authentication for SSH",
"global_settings_setting_ssh_port": "SSH port",
"global_settings_setting_ssowat_panel_overlay_enabled": "SSOwat panel overlay",
"global_settings_setting_user_strength": "User password strength",
"global_settings_setting_webadmin_allowlist": "Webadmin IP allowlist",
"global_settings_setting_webadmin_allowlist_help": "IP adresses allowed to access the webadmin.",
"global_settings_setting_webadmin_allowlist_enabled": "Enable Webadmin IP allowlist",
"global_settings_setting_webadmin_allowlist_enabled_help": "Allow only some IPs to access the webadmin.",
"global_settings_unknown_setting_from_settings_file": "Unknown key in settings: '{setting_key}', discard it and save it in /etc/yunohost/settings-unknown.json",
"global_settings_unknown_type": "Unexpected situation, the setting {setting} appears to have the type {unknown_type} but it is not a type supported by the system.",
"good_practices_about_admin_password": "You are now about to define a new administration password. The password should be at least 8 characters long—though it is good practice to use a longer password (i.e. a passphrase) and/or to use a variation of characters (uppercase, lowercase, digits and special characters).",
@ -478,6 +486,9 @@
"log_user_permission_reset": "Reset permission '{}'",
"log_user_permission_update": "Update accesses for permission '{}'",
"log_user_update": "Update info for user '{}'",
"log_settings_set": "Apply settings",
"log_settings_reset": "Reset setting",
"log_settings_reset_all": "Reset all setting",
"mail_alias_remove_failed": "Could not remove e-mail alias '{mail}'",
"mail_domain_unknown": "Invalid e-mail address for domain '{domain}'. Please, use a domain administrated by this server.",
"mail_forward_remove_failed": "Could not remove e-mail forwarding '{mail}'",

2
maintenance/missing_i18n_keys.py
View file

@ -100,7 +100,7 @@ def find_expected_string_keys():
yield m
# Global settings descriptions
# Will be on a line like : ("service.ssh.allow_deprecated_dsa_hostkey", {"type": "bool", ...
# Will be on a line like : ("security.ssh.ssh_allow_deprecated_dsa_hostkey", {"type": "bool", ...
p5 = re.compile(r" \(\n*\s*[\"\'](\w[\w\.]+)[\"\'],")
content = open(ROOT + "src/settings.py").read()
for m in (

24
share/actionsmap.yml
View file

@ -1093,6 +1093,11 @@ settings:
list:
action_help: list all entries of the settings
api: GET /settings
arguments:
-f:
full: --full
help: Display all details (meant to be used by the API)
action: store_true
### settings_get()
get:
@ -1101,22 +1106,29 @@ settings:
arguments:
key:
help: Settings key
--full:
help: Show more details
-f:
full: --full
help: Display all details (meant to be used by the API)
action: store_true
-e:
full: --export
help: Only export key/values, meant to be reimported using "config set --args-file"
action: store_true
### settings_set()
set:
action_help: set an entry value in the settings
api: POST /settings/<key>
api: PUT /settings
arguments:
key:
help: Settings key
help: The question or form key
nargs: '?'
-v:
full: --value
help: new value
extra:
required: True
-a:
full: --args
help: Serialized arguments for new configuration (i.e. "mail_in=0&mail_out=0")
### settings_reset_all()
reset-all:

145
share/config_settings.toml Normal file
View file

@ -0,0 +1,145 @@
version = "1.0"
i18n = "global_settings_setting"
[security]
name = "Security"
[security.password]
name = "Passwords"
[security.password.admin_strength]
type = "number"
default = 1
[security.password.user_strength]
type = "number"
default = 1
[security.ssh]
name = "SSH"
[security.ssh.ssh_compatibility]
type = "select"
default = "modern"
choices = ["intermediate", "modern"]
[security.ssh.ssh_port]
type = "number"
default = 22
[security.ssh.ssh_password_authentication]
type = "boolean"
yes = "True"
no = "False"
default = "False"
[security.ssh.ssh_allow_deprecated_dsa_hostkey]
type = "boolean"
yes = "True"
no = "False"
default = "False"
[security.nginx]
name = "NGINX"
[security.nginx.nginx_redirect_to_https]
type = "boolean"
yes = "True"
no = "False"
default = "True"
[security.nginx.nginx_compatibility]
type = "select"
default = "intermediate"
choices = ["intermediate", "modern"]
[security.postfix]
name = "Postfix"
[security.postfix.postfix_compatibility]
type = "select"
default = "intermediate"
choices = ["intermediate", "modern"]
[security.webadmin]
name = "Webadmin"
[security.webadmin.webadmin_allowlist_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
[security.webadmin.webadmin_allowlist]
type = "tags"
visible = "webadmin_allowlist_enabled"
optional = true
default = ""
[security.experimental]
name = "Experimental"
[security.experimental.security_experimental_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
[email]
name = "Email"
[email.pop3]
name = "POP3"
[email.pop3.pop3_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
[email.smtp]
name = "SMTP"
[email.smtp.smtp_allow_ipv6]
type = "boolean"
yes = "True"
no = "False"
default = "True"
[email.smtp.smtp_relay_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "False"
[email.smtp.smtp_relay_host]
type = "string"
default = ""
optional = true
visible="smtp_relay_enabled"
[email.smtp.smtp_relay_port]
type = "number"
default = 587
visible="smtp_relay_enabled"
[email.smtp.smtp_relay_user]
type = "string"
default = ""
optional = true
visible="smtp_relay_enabled"
[email.smtp.smtp_relay_password]
type = "password"
default = ""
optional = true
visible="smtp_relay_enabled"
[misc]
name = "Other"
[misc.ssowat]
name = "SSOwat"
[misc.ssowat.ssowat_panel_overlay_enabled]
type = "boolean"
yes = "True"
no = "False"
default = "True"
[misc.backup]
name = "Backup"
[misc.backup.backup_compress_tar_archives]
type = "boolean"
yes = "True"
no = "False"
default = "False"

2
src/backup.py
View file

@ -1928,7 +1928,7 @@ class TarBackupMethod(BackupMethod):
def _archive_file(self):
if isinstance(self.manager, BackupManager) and settings_get(
"backup.compress_tar_archives"
"misc.backup.backup_compress_tar_archives"
):
return os.path.join(self.repo, self.name + ".tar.gz")

9
src/certificate.py
View file

@ -34,7 +34,7 @@ from datetime import datetime
from moulinette import m18n
from moulinette.utils.log import getActionLogger
from moulinette.utils.filesystem import read_file
from moulinette.utils.filesystem import read_file, chown, chmod
from yunohost.vendor.acme_tiny.acme_tiny import get_crt as sign_certificate
from yunohost.utils.error import YunohostError, YunohostValidationError
@ -719,11 +719,8 @@ def _generate_key(destination_path):
def _set_permissions(path, user, group, permissions):
uid = pwd.getpwnam(user).pw_uid
gid = grp.getgrnam(group).gr_gid
os.chown(path, uid, gid)
os.chmod(path, permissions)
chown(path, user, group)
chmod(path, permissions)
def _enable_certificate(domain, new_cert_folder):

6
src/diagnosers/21-web.py
View file

@ -5,7 +5,7 @@ import random
import requests
from typing import List
from moulinette.utils.filesystem import read_file
from moulinette.utils.filesystem import read_file, mkdir, rm
from yunohost.diagnosis import Diagnoser
from yunohost.domain import domain_list
@ -46,8 +46,8 @@ class MyDiagnoser(Diagnoser):
domains_to_check.append(domain)
self.nonce = "".join(random.choice("0123456789abcedf") for i in range(16))
os.system("rm -rf /tmp/.well-known/ynh-diagnosis/")
os.system("mkdir -p /tmp/.well-known/ynh-diagnosis/")
rm("/tmp/.well-known/ynh-diagnosis/", recursive=True, force=True)
mkdir("/tmp/.well-known/ynh-diagnosis/", parents=True)
os.system("touch /tmp/.well-known/ynh-diagnosis/%s" % self.nonce)
if not domains_to_check:

2
src/diagnosers/24-mail.py
View file

@ -291,7 +291,7 @@ class MyDiagnoser(Diagnoser):
if global_ipv4:
outgoing_ips.append(global_ipv4)
if settings_get("smtp.allow_ipv6"):
if settings_get("email.smtp.smtp_allow_ipv6"):
ipv6 = Diagnoser.get_cached_report("ip", {"test": "ipv6"}) or {}
if ipv6.get("status") == "SUCCESS":
outgoing_ipversions.append(6)

2
src/diagnosers/70-regenconf.py
View file

@ -53,7 +53,7 @@ class MyDiagnoser(Diagnoser):
)
# Check consistency between actual ssh port in sshd_config vs. setting
ssh_port_setting = settings_get("security.ssh.port")
ssh_port_setting = settings_get("security.ssh.ssh_port")
ssh_port_line = re.findall(
r"\bPort *([0-9]{2,5})\b", read_file("/etc/ssh/sshd_config")
)

44
src/migrations/0024_global_settings_to_configpanel.py Normal file
View file

@ -0,0 +1,44 @@
import subprocess
import time
import urllib
import os
from yunohost.utils.error import YunohostError
from moulinette.utils.log import getActionLogger
from moulinette.utils.filesystem import (
read_json,
write_to_yaml
)
from yunohost.tools import Migration
from yunohost.settings import settings_set
from yunohost.utils.legacy import translate_legacy_settings_to_configpanel_settings
logger = getActionLogger("yunohost.migration")
SETTINGS_PATH = "/etc/yunohost/settings.yml"
OLD_SETTINGS_PATH = "/etc/yunohost/settings.json"
class MyMigration(Migration):
"Migrate old global settings to the new ConfigPanel global settings"
dependencies = ["migrate_to_bullseye"]
def run(self):
if not os.path.exists(OLD_SETTINGS_PATH):
return
try:
old_settings = read_json(OLD_SETTINGS_PATH)
except Exception as e:
raise YunohostError("global_settings_cant_open_settings", reason=e)
settings = { translate_legacy_settings_to_configpanel_settings(k): v['value'] for k,v in old_settings.items() }
if settings.get('email.smtp.smtp_relay_host') != "":
settings['email.smtp.smtp_relay_enabled'] = "True"
# Here we don't use settings_set() from settings.py to prevent
# Questions to be asked when one run the migration from CLI.
write_to_yaml(SETTINGS_PATH, settings)

438
src/settings.py
View file

@ -2,128 +2,26 @@ import os
import json
import subprocess
from datetime import datetime
from collections import OrderedDict
from moulinette import m18n
from yunohost.utils.error import YunohostError, YunohostValidationError
from yunohost.utils.config import ConfigPanel, Question
from moulinette.utils.log import getActionLogger
from yunohost.regenconf import regen_conf
from yunohost.firewall import firewall_reload
from yunohost.log import is_unit_operation
from yunohost.utils.legacy import translate_legacy_settings_to_configpanel_settings
logger = getActionLogger("yunohost.settings")
SETTINGS_PATH = "/etc/yunohost/settings.json"
SETTINGS_PATH_OTHER_LOCATION = "/etc/yunohost/settings-%s.json"
SETTINGS_PATH = "/etc/yunohost/settings.yml"
BOOLEANS = {
"True": True,
"False": False,
}
def is_boolean(value):
TRUE = ["true", "on", "yes", "y", "1"]
FALSE = ["false", "off", "no", "n", "0"]
"""
Ensure a string value is intended as a boolean
Keyword arguments:
arg -- The string to check
Returns:
(is_boolean, boolean_value)
"""
if isinstance(value, bool):
return True, value
if value in [0, 1]:
return True, bool(value)
elif isinstance(value, str):
if str(value).lower() in TRUE + FALSE:
return True, str(value).lower() in TRUE
else:
return False, None
else:
return False, None
# a settings entry is in the form of:
# namespace.subnamespace.name: {type, value, default, description, [choices]}
# choices is only for enum
# the keyname can have as many subnamespace as needed but should have at least
# one level of namespace
# description is implied from the translated strings
# the key is "global_settings_setting_%s" % key.replace(".", "_")
# type can be:
# * bool
# * int
# * string
# * enum (in the form of a python list)
DEFAULTS = OrderedDict(
[
# Password Validation
# -1 disabled, 0 alert if listed, 1 8-letter, 2 normal, 3 strong, 4 strongest
("security.password.admin.strength", {"type": "int", "default": 1}),
("security.password.user.strength", {"type": "int", "default": 1}),
(
"service.ssh.allow_deprecated_dsa_hostkey",
{"type": "bool", "default": False},
),
(
"security.ssh.compatibility",
{
"type": "enum",
"default": "modern",
"choices": ["intermediate", "modern"],
},
),
(
"security.ssh.port",
{"type": "int", "default": 22},
),
(
"security.ssh.password_authentication",
{"type": "bool", "default": True},
),
(
"security.nginx.redirect_to_https",
{
"type": "bool",
"default": True,
},
),
(
"security.nginx.compatibility",
{
"type": "enum",
"default": "intermediate",
"choices": ["intermediate", "modern"],
},
),
(
"security.postfix.compatibility",
{
"type": "enum",
"default": "intermediate",
"choices": ["intermediate", "modern"],
},
),
("pop3.enabled", {"type": "bool", "default": False}),
("smtp.allow_ipv6", {"type": "bool", "default": True}),
("smtp.relay.host", {"type": "string", "default": ""}),
("smtp.relay.port", {"type": "int", "default": 587}),
("smtp.relay.user", {"type": "string", "default": ""}),
("smtp.relay.password", {"type": "string", "default": ""}),
("backup.compress_tar_archives", {"type": "bool", "default": False}),
("ssowat.panel_overlay.enabled", {"type": "bool", "default": True}),
("security.webadmin.allowlist.enabled", {"type": "bool", "default": False}),
("security.webadmin.allowlist", {"type": "string", "default": ""}),
("security.experimental.enabled", {"type": "bool", "default": False}),
]
)
def settings_get(key, full=False):
def settings_get(key="", full=False, export=False):
"""
Get an entry value in the settings
@ -131,28 +29,40 @@ def settings_get(key, full=False):
key -- Settings key
"""
settings = _get_settings()
if key not in settings:
if full and export:
raise YunohostValidationError(
"global_settings_key_doesnt_exists", settings_key=key
"You can't use --full and --export together.", raw_msg=True
)
if full:
return settings[key]
mode = "full"
elif export:
mode = "export"
else:
mode = "classic"
return settings[key]["value"]
if mode == "classic" and key == "":
raise YunohostValidationError("Missing key", raw_msg=True)
settings = SettingsConfigPanel()
key = translate_legacy_settings_to_configpanel_settings(key)
return settings.get(key, mode)
def settings_list():
def settings_list(full=False, export=True):
"""
List all entries of the settings
"""
return _get_settings()
if full:
export = False
return settings_get(full=full, export=export)
def settings_set(key, value):
@is_unit_operation()
def settings_set(operation_logger, key=None, value=None, args=None, args_file=None):
"""
Set an entry value in the settings
@ -161,78 +71,14 @@ def settings_set(key, value):
value -- New value
"""
settings = _get_settings()
if key not in settings:
raise YunohostValidationError(
"global_settings_key_doesnt_exists", settings_key=key
)
key_type = settings[key]["type"]
if key_type == "bool":
boolean_value = is_boolean(value)
if boolean_value[0]:
value = boolean_value[1]
else:
raise YunohostValidationError(
"global_settings_bad_type_for_setting",
setting=key,
received_type=type(value).__name__,
expected_type=key_type,
)
elif key_type == "int":
if not isinstance(value, int) or isinstance(value, bool):
if isinstance(value, str):
try:
value = int(value)
except Exception:
raise YunohostValidationError(
"global_settings_bad_type_for_setting",
setting=key,
received_type=type(value).__name__,
expected_type=key_type,
)
else:
raise YunohostValidationError(
"global_settings_bad_type_for_setting",
setting=key,
received_type=type(value).__name__,
expected_type=key_type,
)
elif key_type == "string":
if not isinstance(value, str):
raise YunohostValidationError(
"global_settings_bad_type_for_setting",
setting=key,
received_type=type(value).__name__,
expected_type=key_type,
)
elif key_type == "enum":
if value not in settings[key]["choices"]:
raise YunohostValidationError(
"global_settings_bad_choice_for_enum",
setting=key,
choice=str(value),
available_choices=", ".join(settings[key]["choices"]),
)
else:
raise YunohostValidationError(
"global_settings_unknown_type", setting=key, unknown_type=key_type
)
old_value = settings[key].get("value")
settings[key]["value"] = value
_save_settings(settings)
try:
trigger_post_change_hook(key, old_value, value)
except Exception as e:
logger.error(f"Post-change hook for setting {key} failed : {e}")
raise
Question.operation_logger = operation_logger
settings = SettingsConfigPanel()
key = translate_legacy_settings_to_configpanel_settings(key)
return settings.set(key, value, args, args_file, operation_logger=operation_logger)
def settings_reset(key):
@is_unit_operation()
def settings_reset(operation_logger, key):
"""
Set an entry value to its default one
@ -240,18 +86,14 @@ def settings_reset(key):
key -- Settings key
"""
settings = _get_settings()
if key not in settings:
raise YunohostValidationError(
"global_settings_key_doesnt_exists", settings_key=key
)
settings[key]["value"] = settings[key]["default"]
_save_settings(settings)
settings = SettingsConfigPanel()
key = translate_legacy_settings_to_configpanel_settings(key)
return settings.reset(key, operation_logger=operation_logger)
def settings_reset_all():
@is_unit_operation()
def settings_reset_all(operation_logger):
"""
Reset all settings to their default value
@ -259,110 +101,83 @@ def settings_reset_all():
yes -- Yes I'm sure I want to do that
"""
settings = _get_settings()
# For now on, we backup the previous settings in case of but we don't have
# any mecanism to take advantage of those backups. It could be a nice
# addition but we'll see if this is a common need.
# Another solution would be to use etckeeper and integrate those
# modification inside of it and take advantage of its git history
old_settings_backup_path = (
SETTINGS_PATH_OTHER_LOCATION % datetime.utcnow().strftime("%F_%X")
)
_save_settings(settings, location=old_settings_backup_path)
for value in settings.values():
value["value"] = value["default"]
_save_settings(settings)
return {
"old_settings_backup_path": old_settings_backup_path,
"message": m18n.n(
"global_settings_reset_success", path=old_settings_backup_path
),
}
settings = SettingsConfigPanel()
return settings.reset(operation_logger=operation_logger)
def _get_setting_description(key):
return m18n.n(f"global_settings_setting_{key}".replace(".", "_"))
class SettingsConfigPanel(ConfigPanel):
entity_type = "settings"
save_path_tpl = SETTINGS_PATH
save_mode = "diff"
def __init__(
self, config_path=None, save_path=None, creation=False
):
super().__init__("settings")
def _get_settings():
def _apply(self):
super()._apply()
settings = {}
settings = { k: v for k, v in self.future_values.items() if self.values.get(k) != v }
for setting_name, value in settings.items():
try:
trigger_post_change_hook(setting_name, self.values.get(setting_name), value)
except Exception as e:
logger.error(f"Post-change hook for setting failed : {e}")
raise
for key, value in DEFAULTS.copy().items():
settings[key] = value
settings[key]["value"] = value["default"]
settings[key]["description"] = _get_setting_description(key)
def get(self, key="", mode="classic"):
result = super().get(key=key, mode=mode)
if not os.path.exists(SETTINGS_PATH):
return settings
if mode == "full":
for panel, section, option in self._iterate():
if m18n.key_exists(self.config["i18n"] + "_" + option["id"] + "_help"):
option["help"] = m18n.n(self.config["i18n"] + "_" + option["id"] + "_help")
return self.config
# we have a very strict policy on only allowing settings that we know in
# the OrderedDict DEFAULTS
# For various reason, while reading the local settings we might encounter
# settings that aren't in DEFAULTS, those can come from settings key that
# we have removed, errors or the user trying to modify
# /etc/yunohost/settings.json
# To avoid to simply overwrite them, we store them in
# /etc/yunohost/settings-unknown.json in case of
unknown_settings = {}
unknown_settings_path = SETTINGS_PATH_OTHER_LOCATION % "unknown"
# Dirty hack to let settings_get() to work from a python script
if isinstance(result, str) and result in BOOLEANS:
result = BOOLEANS[result]
return result
def reset(self, key = "", operation_logger=None):
self.filter_key = key
# Read config panel toml
self._get_config_panel()
if not self.config:
raise YunohostValidationError("config_no_panel")
# Replace all values with default values
self.values = self._get_default_values()
Question.operation_logger = operation_logger
if operation_logger:
operation_logger.start()
if os.path.exists(unknown_settings_path):
try:
unknown_settings = json.load(open(unknown_settings_path, "r"))
except Exception as e:
logger.warning(f"Error while loading unknown settings {e}")
self._apply()
except YunohostError:
raise
# Script got manually interrupted ...
# N.B. : KeyboardInterrupt does not inherit from Exception
except (KeyboardInterrupt, EOFError):
error = m18n.n("operation_interrupted")
logger.error(m18n.n("config_apply_failed", error=error))
raise
# Something wrong happened in Yunohost's code (most probably hook_exec)
except Exception:
import traceback
try:
with open(SETTINGS_PATH) as settings_fd:
local_settings = json.load(settings_fd)
error = m18n.n("unexpected_error", error="\n" + traceback.format_exc())
logger.error(m18n.n("config_apply_failed", error=error))
raise
for key, value in local_settings.items():
if key in settings:
settings[key] = value
settings[key]["description"] = _get_setting_description(key)
else:
logger.warning(
m18n.n(
"global_settings_unknown_setting_from_settings_file",
setting_key=key,
)
)
unknown_settings[key] = value
except Exception as e:
raise YunohostValidationError("global_settings_cant_open_settings", reason=e)
if unknown_settings:
try:
_save_settings(unknown_settings, location=unknown_settings_path)
_save_settings(settings)
except Exception as e:
logger.warning(f"Failed to save unknown settings (because {e}), aborting.")
return settings
def _save_settings(settings, location=SETTINGS_PATH):
settings_without_description = {}
for key, value in settings.items():
settings_without_description[key] = value
if "description" in value:
del settings_without_description[key]["description"]
try:
result = json.dumps(settings_without_description, indent=4)
except Exception as e:
raise YunohostError("global_settings_cant_serialize_settings", reason=e)
try:
with open(location, "w") as settings_fd:
settings_fd.write(result)
except Exception as e:
raise YunohostError("global_settings_cant_write_settings", reason=e)
logger.success(m18n.n("global_settings_reset_success"))
operation_logger.success()
# Meant to be a dict of setting_name -> function to call
@ -370,13 +185,8 @@ post_change_hooks = {}
def post_change_hook(setting_name):
# TODO: Check that setting_name exists
def decorator(func):
assert (
setting_name in DEFAULTS.keys()
), f"The setting {setting_name} does not exists"
assert (
setting_name not in post_change_hooks
), f"You can only register one post change hook per setting (in particular for {setting_name})"
post_change_hooks[setting_name] = func
return func
@ -404,48 +214,48 @@ def trigger_post_change_hook(setting_name, old_value, new_value):
# ===========================================
@post_change_hook("ssowat.panel_overlay.enabled")
@post_change_hook("security.nginx.redirect_to_https")
@post_change_hook("security.nginx.compatibility")
@post_change_hook("security.webadmin.allowlist.enabled")
@post_change_hook("security.webadmin.allowlist")
@post_change_hook("ssowat_panel_overlay_enabled")
@post_change_hook("nginx_redirect_to_https")
@post_change_hook("nginx_compatibility")
@post_change_hook("webadmin_allowlist_enabled")
@post_change_hook("webadmin_allowlist")
def reconfigure_nginx(setting_name, old_value, new_value):
if old_value != new_value:
regen_conf(names=["nginx"])
@post_change_hook("security.experimental.enabled")
@post_change_hook("security_experimental_enabled")
def reconfigure_nginx_and_yunohost(setting_name, old_value, new_value):
if old_value != new_value:
regen_conf(names=["nginx", "yunohost"])
@post_change_hook("security.ssh.compatibility")
@post_change_hook("security.ssh.password_authentication")
@post_change_hook("ssh_compatibility")
@post_change_hook("ssh_password_authentication")
def reconfigure_ssh(setting_name, old_value, new_value):
if old_value != new_value:
regen_conf(names=["ssh"])
@post_change_hook("security.ssh.port")
@post_change_hook("ssh_port")
def reconfigure_ssh_and_fail2ban(setting_name, old_value, new_value):
if old_value != new_value:
regen_conf(names=["ssh", "fail2ban"])
firewall_reload()
@post_change_hook("smtp.allow_ipv6")
@post_change_hook("smtp.relay.host")
@post_change_hook("smtp.relay.port")
@post_change_hook("smtp.relay.user")
@post_change_hook("smtp.relay.password")
@post_change_hook("security.postfix.compatibility")
@post_change_hook("smtp_allow_ipv6")
@post_change_hook("smtp_relay_host")
@post_change_hook("smtp_relay_port")
@post_change_hook("smtp_relay_user")
@post_change_hook("smtp_relay_password")
@post_change_hook("postfix_compatibility")
def reconfigure_postfix(setting_name, old_value, new_value):
if old_value != new_value:
regen_conf(names=["postfix"])
@post_change_hook("pop3.enabled")
@post_change_hook("pop3_enabled")
def reconfigure_dovecot(setting_name, old_value, new_value):
dovecot_package = "dovecot-pop3d"

266
src/tests/test_settings.py
View file

@ -3,177 +3,215 @@ import json
import glob
import pytest
from yunohost.utils.error import YunohostError
import moulinette
from yunohost.utils.error import YunohostError, YunohostValidationError
import yunohost.settings as settings
from yunohost.settings import (
settings_get,
settings_list,
_get_settings,
settings_set,
settings_reset,
settings_reset_all,
SETTINGS_PATH_OTHER_LOCATION,
SETTINGS_PATH,
DEFAULTS,
SETTINGS_PATH
)
DEFAULTS["example.bool"] = {"type": "bool", "default": True}
DEFAULTS["example.int"] = {"type": "int", "default": 42}
DEFAULTS["example.string"] = {"type": "string", "default": "yolo swag"}
DEFAULTS["example.enum"] = {"type": "enum", "default": "a", "choices": ["a", "b", "c"]}
EXAMPLE_SETTINGS = """
[example]
[example.example]
[example.example.boolean]
type = "boolean"
yes = "True"
no = "False"
default = "True"
[example.example.number]
type = "number"
default = 42
[example.example.string]
type = "string"
default = "yolo swag"
[example.example.select]
type = "select"
choices = ["a", "b", "c"]
default = "a"
"""
def setup_function(function):
os.system("mv /etc/yunohost/settings.json /etc/yunohost/settings.json.saved")
# Backup settings
if os.path.exists(SETTINGS_PATH):
os.system(f"mv {SETTINGS_PATH} {SETTINGS_PATH}.saved")
# Add example settings to config panel
os.system("cp /usr/share/yunohost/config_settings.toml /usr/share/yunohost/config_settings.toml.saved")
with open("/usr/share/yunohost/config_settings.toml", "a") as file:
file.write(EXAMPLE_SETTINGS)
def teardown_function(function):
os.system("mv /etc/yunohost/settings.json.saved /etc/yunohost/settings.json")
for filename in glob.glob("/etc/yunohost/settings-*.json"):
os.remove(filename)
if os.path.exists("/etc/yunohost/settings.yml.saved"):
os.system(f"mv {SETTINGS_PATH}.saved {SETTINGS_PATH}")
elif os.path.exists(SETTINGS_PATH):
os.remove(SETTINGS_PATH)
os.system("mv /usr/share/yunohost/config_settings.toml.saved /usr/share/yunohost/config_settings.toml")
def monkey_get_setting_description(key):
return "Dummy %s setting" % key.split(".")[-1]
old_translate = moulinette.core.Translator.translate
def _monkeypatch_translator(self, key, *args, **kwargs):
if key.startswith("global_settings_setting_"):
return f"Dummy translation for {key}"
return old_translate(self, key, *args, **kwargs)
moulinette.core.Translator.translate = _monkeypatch_translator
settings._get_setting_description = monkey_get_setting_description
def _get_settings():
return yaml.load(open(SETTINGS_PATH, "r"))
def test_settings_get_bool():
assert settings_get("example.bool")
assert settings_get("example.example.boolean")
def test_settings_get_full_bool():
assert settings_get("example.bool", True) == {
"type": "bool",
"value": True,
"default": True,
"description": "Dummy bool setting",
}
# FIXME : Testing this doesn't make sense ? This should be tested in test_config.py ?
#def test_settings_get_full_bool():
# assert settings_get("example.example.boolean", True) == {'version': '1.0',
# 'i18n': 'global_settings_setting',
# 'panels': [{'services': [],
# 'actions': {'apply': {'en': 'Apply'}},
# 'sections': [{'name': '',
# 'services': [],
# 'optional': True,
# 'options': [{'type': 'boolean',
# 'yes': 'True',
# 'no': 'False',
# 'default': 'True',
# 'id': 'boolean',
# 'name': 'boolean',
# 'optional': True,
# 'current_value': 'True',
# 'ask': 'global_settings_setting_boolean',
# 'choices': []}],
# 'id': 'example'}],
# 'id': 'example',
# 'name': {'en': 'Example'}}]}
def test_settings_get_int():
assert settings_get("example.int") == 42
assert settings_get("example.example.number") == 42
def test_settings_get_full_int():
assert settings_get("example.int", True) == {
"type": "int",
"value": 42,
"default": 42,
"description": "Dummy int setting",
}
#def test_settings_get_full_int():
# assert settings_get("example.int", True) == {
# "type": "int",
# "value": 42,
# "default": 42,
# "description": "Dummy int setting",
# }
def test_settings_get_string():
assert settings_get("example.string") == "yolo swag"
assert settings_get("example.example.string") == "yolo swag"
def test_settings_get_full_string():
assert settings_get("example.string", True) == {
"type": "string",
"value": "yolo swag",
"default": "yolo swag",
"description": "Dummy string setting",
}
#def test_settings_get_full_string():
# assert settings_get("example.example.string", True) == {
# "type": "string",
# "value": "yolo swag",
# "default": "yolo swag",
# "description": "Dummy string setting",
# }
def test_settings_get_enum():
assert settings_get("example.enum") == "a"
def test_settings_get_select():
assert settings_get("example.example.select") == "a"
def test_settings_get_full_enum():
assert settings_get("example.enum", True) == {
"type": "enum",
"value": "a",
"default": "a",
"description": "Dummy enum setting",
"choices": ["a", "b", "c"],
}
#def test_settings_get_full_select():
# option = settings_get("example.example.select", full=True).get('panels')[0].get('sections')[0].get('options')[0]
# assert option.get('choices') == ["a", "b", "c"]
def test_settings_get_doesnt_exists():
with pytest.raises(YunohostError):
with pytest.raises(YunohostValidationError):
settings_get("doesnt.exists")
def test_settings_list():
assert settings_list() == _get_settings()
#def test_settings_list():
# assert settings_list() == _get_settings()
def test_settings_set():
settings_set("example.bool", False)
assert settings_get("example.bool") is False
settings_set("example.example.boolean", False)
assert settings_get("example.example.boolean") is False
settings_set("example.bool", "on")
assert settings_get("example.bool") is True
settings_set("example.example.boolean", "on")
assert settings_get("example.example.boolean") is True
def test_settings_set_int():
settings_set("example.int", 21)
assert settings_get("example.int") == 21
settings_set("example.example.number", 21)
assert settings_get("example.example.number") == 21
def test_settings_set_enum():
settings_set("example.enum", "c")
assert settings_get("example.enum") == "c"
def test_settings_set_select():
settings_set("example.example.select", "c")
assert settings_get("example.example.select") == "c"
def test_settings_set_doesexit():
with pytest.raises(YunohostError):
with pytest.raises(YunohostValidationError):
settings_set("doesnt.exist", True)
def test_settings_set_bad_type_bool():
with pytest.raises(YunohostError):
settings_set("example.bool", 42)
settings_set("example.example.boolean", 42)
with pytest.raises(YunohostError):
settings_set("example.bool", "pouet")
settings_set("example.example.boolean", "pouet")
def test_settings_set_bad_type_int():
with pytest.raises(YunohostError):
settings_set("example.int", True)
settings_set("example.example.number", True)
with pytest.raises(YunohostError):
settings_set("example.int", "pouet")
settings_set("example.example.number", "pouet")
def test_settings_set_bad_type_string():
with pytest.raises(YunohostError):
settings_set("example.string", True)
settings_set("example.example.string", True)
with pytest.raises(YunohostError):
settings_set("example.string", 42)
settings_set("example.example.string", 42)
def test_settings_set_bad_value_enum():
def test_settings_set_bad_value_select():
with pytest.raises(YunohostError):
settings_set("example.enum", True)
settings_set("example.example.select", True)
with pytest.raises(YunohostError):
settings_set("example.enum", "e")
settings_set("example.example.select", "e")
with pytest.raises(YunohostError):
settings_set("example.enum", 42)
settings_set("example.example.select", 42)
with pytest.raises(YunohostError):
settings_set("example.enum", "pouet")
settings_set("example.example.select", "pouet")
def test_settings_list_modified():
settings_set("example.int", 21)
assert settings_list()["example.int"] == {
"default": 42,
"description": "Dummy int setting",
"type": "int",
"value": 21,
}
settings_set("example.example.number", 21)
assert settings_list()["number"] == 21
def test_reset():
settings_set("example.int", 21)
assert settings_get("example.int") == 21
settings_reset("example.int")
assert settings_get("example.int") == settings_get("example.int", True)["default"]
option = settings_get("example.example.number", full=True).get('panels')[0].get('sections')[0].get('options')[0]
settings_set("example.example.number", 21)
assert settings_get("number") == 21
settings_reset("example.example.number")
assert settings_get("example.example.number") == option["default"]
def test_settings_reset_doesexit():
@ -183,10 +221,10 @@ def test_settings_reset_doesexit():
def test_reset_all():
settings_before = settings_list()
settings_set("example.bool", False)
settings_set("example.int", 21)
settings_set("example.string", "pif paf pouf")
settings_set("example.enum", "c")
settings_set("example.example.boolean", False)
settings_set("example.example.number", 21)
settings_set("example.example.string", "pif paf pouf")
settings_set("example.example.select", "c")
assert settings_before != settings_list()
settings_reset_all()
if settings_before != settings_list():
@ -194,30 +232,30 @@ def test_reset_all():
assert settings_before[i] == settings_list()[i]
def test_reset_all_backup():
settings_before = settings_list()
settings_set("example.bool", False)
settings_set("example.int", 21)
settings_set("example.string", "pif paf pouf")
settings_set("example.enum", "c")
settings_after_modification = settings_list()
assert settings_before != settings_after_modification
old_settings_backup_path = settings_reset_all()["old_settings_backup_path"]
for i in settings_after_modification:
del settings_after_modification[i]["description"]
assert settings_after_modification == json.load(open(old_settings_backup_path, "r"))
#def test_reset_all_backup():
# settings_before = settings_list()
# settings_set("example.bool", False)
# settings_set("example.int", 21)
# settings_set("example.string", "pif paf pouf")
# settings_set("example.select", "c")
# settings_after_modification = settings_list()
# assert settings_before != settings_after_modification
# old_settings_backup_path = settings_reset_all()["old_settings_backup_path"]
#
# for i in settings_after_modification:
# del settings_after_modification[i]["description"]
#
# assert settings_after_modification == json.load(open(old_settings_backup_path, "r"))
def test_unknown_keys():
unknown_settings_path = SETTINGS_PATH_OTHER_LOCATION % "unknown"
unknown_setting = {
"unkown_key": {"value": 42, "default": 31, "type": "int"},
}
open(SETTINGS_PATH, "w").write(json.dumps(unknown_setting))
# stimulate a write
settings_reset_all()
assert unknown_setting == json.load(open(unknown_settings_path, "r"))
#def test_unknown_keys():
# unknown_settings_path = SETTINGS_PATH_OTHER_LOCATION % "unknown"
# unknown_setting = {
# "unkown_key": {"value": 42, "default": 31, "type": "int"},
# }
# open(SETTINGS_PATH, "w").write(json.dumps(unknown_setting))
#
# # stimulate a write
# settings_reset_all()
#
# assert unknown_setting == json.load(open(unknown_settings_path, "r"))

25
src/utils/legacy.py
View file

@ -62,6 +62,31 @@ LEGACY_PERMISSION_LABEL = {
): "api", # $excaped_domain$excaped_path/[%w-.]*/[%w-.]*/git%-receive%-pack,$excaped_domain$excaped_path/[%w-.]*/[%w-.]*/git%-upload%-pack,$excaped_domain$excaped_path/[%w-.]*/[%w-.]*/info/refs
}
LEGACY_SETTINGS = {
"security.password.admin.strength": "security.password.admin_strength",
"security.password.user.strength": "security.password.user_strength",
"security.ssh.compatibility": "security.ssh.ssh_compatibility",
"security.ssh.port": "security.ssh.ssh_port",
"security.ssh.password_authentication": "security.ssh.ssh_password_authentication",
"service.ssh.allow_deprecated_dsa_hostkey": "security.ssh.ssh_allow_deprecated_dsa_hostkey",
"security.nginx.redirect_to_https": "security.nginx.nginx_redirect_to_https",
"security.nginx.compatibility": "security.nginx.nginx_compatibility",
"security.postfix.compatibility": "security.postfix.postfix_compatibility",
"pop3.enabled": "email.pop3.pop3_enabled",
"smtp.allow_ipv6": "email.smtp.smtp_allow_ipv6",
"smtp.relay.host": "email.smtp.smtp_relay_host",
"smtp.relay.port": "email.smtp.smtp_relay_port",
"smtp.relay.user": "email.smtp.smtp_relay_user",
"smtp.relay.password": "email.smtp.smtp_relay_password",
"backup.compress_tar_archives": "misc.backup.backup_compress_tar_archives",
"ssowat.panel_overlay.enabled": "misc.ssowat.ssowat_panel_overlay_enabled",
"security.webadmin.allowlist.enabled": "security.webadmin.webadmin_allowlist_enabled",
"security.webadmin.allowlist": "security.webadmin.webadmin_allowlist",
"security.experimental.enabled": "security.experimental.security_experimental_enabled"
}
def translate_legacy_settings_to_configpanel_settings(settings):
return LEGACY_SETTINGS.get(settings, settings)
def legacy_permission_label(app, permission_type):
return LEGACY_PERMISSION_LABEL.get(

10
src/utils/password.py
View file

@ -21,9 +21,9 @@
import sys
import os
import json
import string
import subprocess
import yaml
SMALL_PWD_LIST = [
"yunohost",
@ -58,7 +58,7 @@ class PasswordValidator:
The profile shall be either "user" or "admin"
and will correspond to a validation strength
defined via the setting "security.password.<profile>.strength"
defined via the setting "security.password.<profile>_strength"
"""
self.profile = profile
@ -67,9 +67,9 @@ class PasswordValidator:
# from settings.py because this file is also meant to be
# use as a script by ssowat.
# (or at least that's my understanding -- Alex)
settings = json.load(open("/etc/yunohost/settings.json", "r"))
setting_key = "security.password." + profile + ".strength"
self.validation_strength = int(settings[setting_key]["value"])
settings = yaml.load(open("/etc/yunohost/settings.yml", "r"))
setting_key = "security.password." + profile + "_strength"
self.validation_strength = int(settings[setting_key])
except Exception:
# Fallback to default value if we can't fetch settings for some reason
self.validation_strength = 1