diff --git a/debian/changelog b/debian/changelog index 78023c71e..31e098d87 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ yunohost (11.0.1~alpha) unstable; urgency=low - [mod] debian: Moved mysql, php, and metronome from Depends to Recommends ([#1369](https://github.com/YunoHost/yunohost/pull/1369)) - [mod] apt: Add sury by default ([#1369](https://github.com/YunoHost/yunohost/pull/1369)) - [enh] regenconf/helpers: Better integration for postgresql ([#1369](https://github.com/YunoHost/yunohost/pull/1369)) + - [enh] regenconf: Store regenconf cache in /var/cache/yunohost/regenconf instead of /home/yunohost.conf (00d535a6) - [enh] mysql: Drop super old mysql config, now rely on Debian default's one ([44c972f...144126f](https://github.com/YunoHost/yunohost/compare/44c972f2dd65...144126f56a3d)) - [enh] upgrade: Try to implement a smarter self-upgrade mechanism to prevent/limit API downtime and related UX issues ([#1374](https://github.com/YunoHost/yunohost/pull/1374)) - [mod] app: During app scripts (and all stuff run in hook_exec), do not inject the HOME variable if it exists. This aims to prevent inconsistencies between CLI (where HOME usually is defined) and API (where HOME doesnt exists) (f43e567b) @@ -24,6 +25,17 @@ yunohost (11.0.1~alpha) unstable; urgency=low -- Alexandre Aubin Fri, 05 Feb 2021 00:02:38 +0100 +yunohost (4.3.4.2) stable; urgency=low + + - [fix] yunomdns: Ignore ipv4 link-local addresses (6854f23c) + - [fix] backup: Fix path for multimedia restore ([#1386](https://github.com/YunoHost/yunohost/pull/1386)) + - [fix] helpers apt/php: typo in extra php-fpm yunohost service integration (47f3c00d) + - [enh] helpers: Update n to 8.0.1 (d1ab1f67) + + Thanks to all contributors <3 ! (ericgaspar, Kayou) + + -- Alexandre Aubin Wed, 08 Dec 2021 22:04:04 +0100 + yunohost (4.3.4.1) stable; urgency=low - [fix] regenconf: Force permission on /etc/resolv.dnsmasq.conf to fix an issue on some setup with umask=027 (5881938c) diff --git a/helpers/apt b/helpers/apt index 7cfc3bcc7..74bec758c 100644 --- a/helpers/apt +++ b/helpers/apt @@ -302,6 +302,8 @@ EOF # Set the default php version back as the default version for php-cli. update-alternatives --set php /usr/bin/php$YNH_DEFAULT_PHP_VERSION + elif grep --quiet 'php' <<< "$dependencies"; then + ynh_app_setting_set --app=$app --key=phpversion --value=$YNH_DEFAULT_PHP_VERSION fi # Trigger postgresql regenconf if we may have just installed postgresql diff --git a/helpers/backup b/helpers/backup index e4828a10d..01b51d5a1 100644 --- a/helpers/backup +++ b/helpers/backup @@ -226,7 +226,7 @@ with open(sys.argv[1], 'r') as backup_file: # ynh_restore_file -o "conf/nginx.conf" # # If `DEST_PATH` already exists and is lighter than 500 Mo, a backup will be made in -# `/home/yunohost.conf/backup/`. Otherwise, the existing file is removed. +# `/var/cache/yunohost/appconfbackup/`. Otherwise, the existing file is removed. # # if `apps/$app/etc/nginx/conf.d/$domain.d/$app.conf` exists, restore it into # `/etc/nginx/conf.d/$domain.d/$app.conf` @@ -263,7 +263,7 @@ ynh_restore_file() { if [[ -e "${dest_path}" ]]; then # Check if the file/dir size is less than 500 Mo if [[ $(du --summarize --bytes ${dest_path} | cut --delimiter="/" --fields=1) -le "500000000" ]]; then - local backup_file="/home/yunohost.conf/backup/${dest_path}.backup.$(date '+%Y%m%d.%H%M%S')" + local backup_file="/var/cache/yunohost/appconfbackup/${dest_path}.backup.$(date '+%Y%m%d.%H%M%S')" mkdir --parents "$(dirname "$backup_file")" mv "${dest_path}" "$backup_file" # Move the current file or directory else @@ -353,7 +353,7 @@ ynh_backup_if_checksum_is_different() { backup_file_checksum="" if [ -n "$checksum_value" ]; then # Proceed only if a value was stored into the app settings if [ -e $file ] && ! echo "$checksum_value $file" | md5sum --check --status; then # If the checksum is now different - backup_file_checksum="/home/yunohost.conf/backup/$file.backup.$(date '+%Y%m%d.%H%M%S')" + backup_file_checksum="/var/cache/yunohost/appconfbackup/$file.backup.$(date '+%Y%m%d.%H%M%S')" mkdir --parents "$(dirname "$backup_file_checksum")" cp --archive "$file" "$backup_file_checksum" # Backup the current file ynh_print_warn "File $file has been manually modified since the installation or last upgrade. So it has been duplicated in $backup_file_checksum" diff --git a/helpers/nodejs b/helpers/nodejs index e7e61b0c6..962ac2a70 100644 --- a/helpers/nodejs +++ b/helpers/nodejs @@ -1,6 +1,6 @@ #!/bin/bash -n_version=8.0.0 +n_version=8.0.1 n_install_dir="/opt/node_n" node_version_path="$n_install_dir/n/versions/node" # N_PREFIX is the directory of n, it needs to be loaded as a environment variable. @@ -16,7 +16,7 @@ export N_PREFIX="$n_install_dir" ynh_install_n() { # Build an app.src for n echo "SOURCE_URL=https://github.com/tj/n/archive/v${n_version}.tar.gz -SOURCE_SUM=9e8879dc4f1c4c0fe4e08a108ed6c23046419b6865fe922ca5176ff7998ae6ff" >"$YNH_APP_BASEDIR/conf/n.src" +SOURCE_SUM=8703ae88fd06ce7f2d0f4018d68bfbab7b26859ed86a86ce4b8f25d2110aee2f" >"$YNH_APP_BASEDIR/conf/n.src" # Download and extract n ynh_setup_source --dest_dir="$n_install_dir/git" --source_id=n # Install n diff --git a/hooks/conf_regen/01-yunohost b/hooks/conf_regen/01-yunohost index 22929db33..14840e2f1 100755 --- a/hooks/conf_regen/01-yunohost +++ b/hooks/conf_regen/01-yunohost @@ -174,12 +174,12 @@ do_post_regen() { ###################### chmod 750 /home/admin - chmod 750 /home/yunohost.conf chmod 750 /home/yunohost.backup chmod 750 /home/yunohost.backup/archives - chown root:root /home/yunohost.conf + chmod 700 /var/cache/yunohost chown admin:root /home/yunohost.backup chown admin:root /home/yunohost.backup/archives + chown root:root /var/cache/yunohost # NB: x permission for 'others' is important for ssl-cert (and maybe mdns), otherwise slapd will fail to start because can't access the certs chmod 755 /etc/yunohost @@ -195,9 +195,6 @@ do_post_regen() { find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \; find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \; - chown root:root /var/cache/yunohost - chmod 700 /var/cache/yunohost - setfacl -m g:all_users:--- /var/www setfacl -m g:all_users:--- /var/log/nginx setfacl -m g:all_users:--- /etc/yunohost diff --git a/hooks/restore/18-data_multimedia b/hooks/restore/18-data_multimedia index eb8ef2608..c3c349e7d 100644 --- a/hooks/restore/18-data_multimedia +++ b/hooks/restore/18-data_multimedia @@ -6,4 +6,6 @@ set -eu # Source YNH helpers source /usr/share/yunohost/helpers -ynh_restore_file --origin_path="/home/yunohost.multimedia" --not_mandatory +backup_dir="data/multimedia" + +ynh_restore_file --origin_path="${backup_dir}" --dest_path="/home/yunohost.multimedia" --not_mandatory diff --git a/share/actionsmap.yml b/share/actionsmap.yml index cad0212b2..9eee48716 100644 --- a/share/actionsmap.yml +++ b/share/actionsmap.yml @@ -34,7 +34,6 @@ ############################# _global: namespace: yunohost - cookie_name: yunohost.admin authentication: api: ldap_admin cli: null diff --git a/src/authenticators/ldap_admin.py b/src/authenticators/ldap_admin.py index 94d68a8db..7f96165cb 100644 --- a/src/authenticators/ldap_admin.py +++ b/src/authenticators/ldap_admin.py @@ -8,10 +8,14 @@ import time from moulinette import m18n from moulinette.authentication import BaseAuthenticator -from yunohost.utils.error import YunohostError +from moulinette.utils.text import random_ascii + +from yunohost.utils.error import YunohostError, YunohostAuthenticationError logger = logging.getLogger("yunohost.authenticators.ldap_admin") +session_secret = random_ascii() + class Authenticator(BaseAuthenticator): @@ -66,3 +70,60 @@ class Authenticator(BaseAuthenticator): # Free the connection, we don't really need it to keep it open as the point is only to check authentication... if con: con.unbind_s() + + def set_session_cookie(self, infos): + + from bottle import response + + assert isinstance(infos, dict) + + # This allows to generate a new session id or keep the existing one + current_infos = self.get_session_cookie(raise_if_no_session_exists=False) + new_infos = {"id": current_infos["id"]} + new_infos.update(infos) + + response.set_cookie( + "yunohost.admin", + new_infos, + secure=True, + secret=session_secret, + httponly=True, + # samesite="strict", # Bottle 0.12 doesn't support samesite, to be added in next versions + ) + + def get_session_cookie(self, raise_if_no_session_exists=True): + + from bottle import request + + try: + # N.B. : here we implicitly reauthenticate the cookie + # because it's signed via the session_secret + # If no session exists (or if session is invalid?) + # it's gonna return the default empty dict, + # which we interpret as an authentication failure + infos = request.get_cookie( + "yunohost.admin", secret=session_secret, default={} + ) + except Exception: + if not raise_if_no_session_exists: + return {"id": random_ascii()} + raise YunohostAuthenticationError("unable_authenticate") + + if not infos and raise_if_no_session_exists: + raise YunohostAuthenticationError("unable_authenticate") + + if "id" not in infos: + infos["id"] = random_ascii() + + # FIXME: Here, maybe we want to re-authenticate the session via the authenticator + # For example to check that the username authenticated is still in the admin group... + + return infos + + @staticmethod + def delete_session_cookie(self): + + from bottle import response + + response.set_cookie("yunohost.admin", "", max_age=-1) + response.delete_cookie("yunohost.admin") diff --git a/src/migrations/0021_migrate_to_bullseye.py b/src/migrations/0021_migrate_to_bullseye.py index db10777bf..b39ef09e8 100644 --- a/src/migrations/0021_migrate_to_bullseye.py +++ b/src/migrations/0021_migrate_to_bullseye.py @@ -77,6 +77,20 @@ class MyMigration(Migration): rm("/etc/mysql/my.cnf", force=True) self.apt_install("mariadb-common --reinstall -o Dpkg::Options::='--force-confmiss'") + # + # /usr/share/yunohost/yunohost-config/ssl/yunoCA -> /usr/share/yunohost/ssl + # + if os.path.exists("/usr/share/yunohost/yunohost-config/ssl/yunoCA"): + os.system("mv /usr/share/yunohost/yunohost-config/ssl/yunoCA /usr/share/yunohost/ssl") + rm("/usr/share/yunohost/yunohost-config", recursive=True, force=True) + + # + # /home/yunohost.conf -> /var/cache/yunohost/regenconf + # + if os.path.exists("/home/yunohost.conf"): + os.system("mv /home/yunohost.conf /var/cache/yunohost/regenconf") + rm("/home/yunohost.conf", recursive=True, force=True) + # # Main upgrade # diff --git a/src/regenconf.py b/src/regenconf.py index afcfb4360..1be62a96f 100644 --- a/src/regenconf.py +++ b/src/regenconf.py @@ -35,7 +35,7 @@ from yunohost.utils.error import YunohostError from yunohost.log import is_unit_operation from yunohost.hook import hook_callback, hook_list -BASE_CONF_PATH = "/home/yunohost.conf" +BASE_CONF_PATH = "/var/cache/yunohost/regenconf" BACKUP_CONF_DIR = os.path.join(BASE_CONF_PATH, "backup") PENDING_CONF_DIR = os.path.join(BASE_CONF_PATH, "pending") REGEN_CONF_FILE = "/etc/yunohost/regenconf.yml" diff --git a/src/service.py b/src/service.py index b723df407..fb1e15c5f 100644 --- a/src/service.py +++ b/src/service.py @@ -705,7 +705,7 @@ def _get_services(): if os.system(f"dpkg --list | grep -q 'ii *{package}'") != 0: del services[name] - php_fpm_versions = check_output(r"dpkg --list | grep -P 'ii php\d.\d-fpm' | awk '{print $2}' | grep -o -P '\d.\d'") + php_fpm_versions = check_output(r"dpkg --list | grep -P 'ii php\d.\d-fpm' | awk '{print $2}' | grep -o -P '\d.\d' || true") php_fpm_versions = [v for v in php_fpm_versions.split('\n') if v.strip()] for version in php_fpm_versions: services[f"php{version}-fpm"] = { diff --git a/src/utils/error.py b/src/utils/error.py index 8405830e7..aa76ba67e 100644 --- a/src/utils/error.py +++ b/src/utils/error.py @@ -19,7 +19,7 @@ """ -from moulinette.core import MoulinetteError +from moulinette.core import MoulinetteError, MoulinetteAuthenticationError from moulinette import m18n @@ -60,3 +60,9 @@ class YunohostValidationError(YunohostError): def content(self): return {"error": self.strerror, "error_key": self.key, **self.kwargs} + + +class YunohostAuthenticationError(MoulinetteAuthenticationError): + + pass +