From dc4341f98cc75baeff03b32777e17045338ec144 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 22 Nov 2021 08:21:54 +0100 Subject: [PATCH 01/10] migrate_to_bullseye: /usr/share/yunohost/yunohost-config/ssl/yunoCA -> /usr/share/yunohost/ssl --- src/yunohost/data_migrations/0021_migrate_to_bullseye.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/yunohost/data_migrations/0021_migrate_to_bullseye.py b/src/yunohost/data_migrations/0021_migrate_to_bullseye.py index db10777bf..aee3bc2d6 100644 --- a/src/yunohost/data_migrations/0021_migrate_to_bullseye.py +++ b/src/yunohost/data_migrations/0021_migrate_to_bullseye.py @@ -77,6 +77,13 @@ class MyMigration(Migration): rm("/etc/mysql/my.cnf", force=True) self.apt_install("mariadb-common --reinstall -o Dpkg::Options::='--force-confmiss'") + # + # /usr/share/yunohost/yunohost-config/ssl/yunoCA -> /usr/share/yunohost/ssl + # + if os.path.exists("/usr/share/yunohost/yunohost-config/ssl/yunoCA"): + os.system("mv /usr/share/yunohost/yunohost-config/ssl/yunoCA /usr/share/yunohost/ssl") + rm("/usr/share/yunohost/yunohost-config", recursive=True, force=True) + # # Main upgrade # From 2bd1df0659588e096a2936f429c53d8dce6e74a0 Mon Sep 17 00:00:00 2001 From: Kayou Date: Tue, 30 Nov 2021 13:10:20 +0100 Subject: [PATCH 02/10] [fix] hook restore multimedia --- data/hooks/restore/18-data_multimedia | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/data/hooks/restore/18-data_multimedia b/data/hooks/restore/18-data_multimedia index eb8ef2608..c3c349e7d 100644 --- a/data/hooks/restore/18-data_multimedia +++ b/data/hooks/restore/18-data_multimedia @@ -6,4 +6,6 @@ set -eu # Source YNH helpers source /usr/share/yunohost/helpers -ynh_restore_file --origin_path="/home/yunohost.multimedia" --not_mandatory +backup_dir="data/multimedia" + +ynh_restore_file --origin_path="${backup_dir}" --dest_path="/home/yunohost.multimedia" --not_mandatory From 47f3c00d0c1ef3ce65cd7768b38526cb2b02a9b6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 3 Dec 2021 01:00:19 +0100 Subject: [PATCH 03/10] helpers apt/php: fix typo spotted by tituspijean --- data/helpers.d/apt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/data/helpers.d/apt b/data/helpers.d/apt index 2e56e3788..281e17f70 100644 --- a/data/helpers.d/apt +++ b/data/helpers.d/apt @@ -325,7 +325,7 @@ EOF ynh_app_setting_set --app=$app --key=phpversion --value=$specific_php_version # Integrate new php-fpm service in yunohost - yunohost service add php${specific_php_version}-fpm --log "/var/log/php${phpversion}-fpm.log" + yunohost service add php${specific_php_version}-fpm --log "/var/log/php${specific_php_version}-fpm.log" elif grep --quiet 'php' <<< "$dependencies"; then # Store phpversion into the config of this app ynh_app_setting_set --app=$app --key=phpversion --value=$YNH_DEFAULT_PHP_VERSION From 00d535a620ac8c4e5a7dbd7bfbcdb4f7338318cd Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Mon, 6 Dec 2021 18:38:49 +0100 Subject: [PATCH 04/10] Stop using /home/yunohost.conf for regenconf / confbackup, /var/cache is fine, prevent confusing /home/yunohost.* folder --- helpers/backup | 6 +++--- hooks/conf_regen/01-yunohost | 7 ++----- src/regenconf.py | 2 +- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/helpers/backup b/helpers/backup index e4828a10d..01b51d5a1 100644 --- a/helpers/backup +++ b/helpers/backup @@ -226,7 +226,7 @@ with open(sys.argv[1], 'r') as backup_file: # ynh_restore_file -o "conf/nginx.conf" # # If `DEST_PATH` already exists and is lighter than 500 Mo, a backup will be made in -# `/home/yunohost.conf/backup/`. Otherwise, the existing file is removed. +# `/var/cache/yunohost/appconfbackup/`. Otherwise, the existing file is removed. # # if `apps/$app/etc/nginx/conf.d/$domain.d/$app.conf` exists, restore it into # `/etc/nginx/conf.d/$domain.d/$app.conf` @@ -263,7 +263,7 @@ ynh_restore_file() { if [[ -e "${dest_path}" ]]; then # Check if the file/dir size is less than 500 Mo if [[ $(du --summarize --bytes ${dest_path} | cut --delimiter="/" --fields=1) -le "500000000" ]]; then - local backup_file="/home/yunohost.conf/backup/${dest_path}.backup.$(date '+%Y%m%d.%H%M%S')" + local backup_file="/var/cache/yunohost/appconfbackup/${dest_path}.backup.$(date '+%Y%m%d.%H%M%S')" mkdir --parents "$(dirname "$backup_file")" mv "${dest_path}" "$backup_file" # Move the current file or directory else @@ -353,7 +353,7 @@ ynh_backup_if_checksum_is_different() { backup_file_checksum="" if [ -n "$checksum_value" ]; then # Proceed only if a value was stored into the app settings if [ -e $file ] && ! echo "$checksum_value $file" | md5sum --check --status; then # If the checksum is now different - backup_file_checksum="/home/yunohost.conf/backup/$file.backup.$(date '+%Y%m%d.%H%M%S')" + backup_file_checksum="/var/cache/yunohost/appconfbackup/$file.backup.$(date '+%Y%m%d.%H%M%S')" mkdir --parents "$(dirname "$backup_file_checksum")" cp --archive "$file" "$backup_file_checksum" # Backup the current file ynh_print_warn "File $file has been manually modified since the installation or last upgrade. So it has been duplicated in $backup_file_checksum" diff --git a/hooks/conf_regen/01-yunohost b/hooks/conf_regen/01-yunohost index 22929db33..14840e2f1 100755 --- a/hooks/conf_regen/01-yunohost +++ b/hooks/conf_regen/01-yunohost @@ -174,12 +174,12 @@ do_post_regen() { ###################### chmod 750 /home/admin - chmod 750 /home/yunohost.conf chmod 750 /home/yunohost.backup chmod 750 /home/yunohost.backup/archives - chown root:root /home/yunohost.conf + chmod 700 /var/cache/yunohost chown admin:root /home/yunohost.backup chown admin:root /home/yunohost.backup/archives + chown root:root /var/cache/yunohost # NB: x permission for 'others' is important for ssl-cert (and maybe mdns), otherwise slapd will fail to start because can't access the certs chmod 755 /etc/yunohost @@ -195,9 +195,6 @@ do_post_regen() { find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \; find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \; - chown root:root /var/cache/yunohost - chmod 700 /var/cache/yunohost - setfacl -m g:all_users:--- /var/www setfacl -m g:all_users:--- /var/log/nginx setfacl -m g:all_users:--- /etc/yunohost diff --git a/src/regenconf.py b/src/regenconf.py index afcfb4360..1be62a96f 100644 --- a/src/regenconf.py +++ b/src/regenconf.py @@ -35,7 +35,7 @@ from yunohost.utils.error import YunohostError from yunohost.log import is_unit_operation from yunohost.hook import hook_callback, hook_list -BASE_CONF_PATH = "/home/yunohost.conf" +BASE_CONF_PATH = "/var/cache/yunohost/regenconf" BACKUP_CONF_DIR = os.path.join(BASE_CONF_PATH, "backup") PENDING_CONF_DIR = os.path.join(BASE_CONF_PATH, "pending") REGEN_CONF_FILE = "/etc/yunohost/regenconf.yml" From d1ab1f674eb25f0970ded4698a89aee18f202cec Mon Sep 17 00:00:00 2001 From: ericgaspar Date: Tue, 7 Dec 2021 12:23:22 +0100 Subject: [PATCH 05/10] Update n to 8.0.1 --- data/helpers.d/nodejs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/data/helpers.d/nodejs b/data/helpers.d/nodejs index e7e61b0c6..962ac2a70 100644 --- a/data/helpers.d/nodejs +++ b/data/helpers.d/nodejs @@ -1,6 +1,6 @@ #!/bin/bash -n_version=8.0.0 +n_version=8.0.1 n_install_dir="/opt/node_n" node_version_path="$n_install_dir/n/versions/node" # N_PREFIX is the directory of n, it needs to be loaded as a environment variable. @@ -16,7 +16,7 @@ export N_PREFIX="$n_install_dir" ynh_install_n() { # Build an app.src for n echo "SOURCE_URL=https://github.com/tj/n/archive/v${n_version}.tar.gz -SOURCE_SUM=9e8879dc4f1c4c0fe4e08a108ed6c23046419b6865fe922ca5176ff7998ae6ff" >"$YNH_APP_BASEDIR/conf/n.src" +SOURCE_SUM=8703ae88fd06ce7f2d0f4018d68bfbab7b26859ed86a86ce4b8f25d2110aee2f" >"$YNH_APP_BASEDIR/conf/n.src" # Download and extract n ynh_setup_source --dest_dir="$n_install_dir/git" --source_id=n # Install n From 71a08c09ea5099d7951d8d7badf0ed3bc0a02cf2 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 8 Dec 2021 22:06:46 +0100 Subject: [PATCH 06/10] Update changelog for 4.3.4.2 --- debian/changelog | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/debian/changelog b/debian/changelog index f53b259b6..001ab678a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +yunohost (4.3.4.2) stable; urgency=low + + - [fix] yunomdns: Ignore ipv4 link-local addresses (6854f23c) + - [fix] backup: Fix path for multimedia restore ([#1386](https://github.com/YunoHost/yunohost/pull/1386)) + - [fix] helpers apt/php: typo in extra php-fpm yunohost service integration (47f3c00d) + - [enh] helpers: Update n to 8.0.1 (d1ab1f67) + + Thanks to all contributors <3 ! (ericgaspar, Kayou) + + -- Alexandre Aubin Wed, 08 Dec 2021 22:04:04 +0100 + yunohost (4.3.4.1) stable; urgency=low - [fix] regenconf: Force permission on /etc/resolv.dnsmasq.conf to fix an issue on some setup with umask=027 (5881938c) From b617c799d05fa95e8fb3af85442b59053412f03f Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 8 Dec 2021 22:11:02 +0100 Subject: [PATCH 07/10] migrate_to_bullseye: move /home/yunohost.conf to /var/cache/yunohost/regenconf --- src/yunohost/data_migrations/0021_migrate_to_bullseye.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/yunohost/data_migrations/0021_migrate_to_bullseye.py b/src/yunohost/data_migrations/0021_migrate_to_bullseye.py index aee3bc2d6..b39ef09e8 100644 --- a/src/yunohost/data_migrations/0021_migrate_to_bullseye.py +++ b/src/yunohost/data_migrations/0021_migrate_to_bullseye.py @@ -84,6 +84,13 @@ class MyMigration(Migration): os.system("mv /usr/share/yunohost/yunohost-config/ssl/yunoCA /usr/share/yunohost/ssl") rm("/usr/share/yunohost/yunohost-config", recursive=True, force=True) + # + # /home/yunohost.conf -> /var/cache/yunohost/regenconf + # + if os.path.exists("/home/yunohost.conf"): + os.system("mv /home/yunohost.conf /var/cache/yunohost/regenconf") + rm("/home/yunohost.conf", recursive=True, force=True) + # # Main upgrade # From 83f7721fdd515bd5d3acdd9f5f584c3ee0891a8e Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 9 Dec 2021 16:24:12 +0100 Subject: [PATCH 08/10] [fix] services: small issue when parsing installed php-fpm versions during buster->bullseye migration (or more generally, there could be no php-fpm installed) --- src/service.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/service.py b/src/service.py index b723df407..fb1e15c5f 100644 --- a/src/service.py +++ b/src/service.py @@ -705,7 +705,7 @@ def _get_services(): if os.system(f"dpkg --list | grep -q 'ii *{package}'") != 0: del services[name] - php_fpm_versions = check_output(r"dpkg --list | grep -P 'ii php\d.\d-fpm' | awk '{print $2}' | grep -o -P '\d.\d'") + php_fpm_versions = check_output(r"dpkg --list | grep -P 'ii php\d.\d-fpm' | awk '{print $2}' | grep -o -P '\d.\d' || true") php_fpm_versions = [v for v in php_fpm_versions.split('\n') if v.strip()] for version in php_fpm_versions: services[f"php{version}-fpm"] = { From f49f03d11e4e297920e084bb00f3c7934fdce6ad Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 22 Dec 2021 19:07:19 +0100 Subject: [PATCH 09/10] api: Move cookie session management logic to the authenticator for more flexibility --- share/actionsmap.yml | 1 - src/authenticators/ldap_admin.py | 60 +++++++++++++++++++++++++++++++- src/utils/error.py | 8 ++++- 3 files changed, 66 insertions(+), 3 deletions(-) diff --git a/share/actionsmap.yml b/share/actionsmap.yml index cad0212b2..9eee48716 100644 --- a/share/actionsmap.yml +++ b/share/actionsmap.yml @@ -34,7 +34,6 @@ ############################# _global: namespace: yunohost - cookie_name: yunohost.admin authentication: api: ldap_admin cli: null diff --git a/src/authenticators/ldap_admin.py b/src/authenticators/ldap_admin.py index 94d68a8db..26843c2c1 100644 --- a/src/authenticators/ldap_admin.py +++ b/src/authenticators/ldap_admin.py @@ -8,10 +8,14 @@ import time from moulinette import m18n from moulinette.authentication import BaseAuthenticator -from yunohost.utils.error import YunohostError +from moulinette.utils.text import random_ascii + +from yunohost.utils.error import YunohostError, YunohostAuthenticationError logger = logging.getLogger("yunohost.authenticators.ldap_admin") +session_secret = random_ascii() + class Authenticator(BaseAuthenticator): @@ -66,3 +70,57 @@ class Authenticator(BaseAuthenticator): # Free the connection, we don't really need it to keep it open as the point is only to check authentication... if con: con.unbind_s() + + def set_session_cookie(self, infos): + + from bottle import response + + assert isinstance(infos, dict) + + # This allows to generate a new session id or keep the existing one + current_infos = self.get_session_cookie(raise_if_no_session_exists=False) + new_infos = {"id": current_infos["id"]} + new_infos.update(infos) + + response.set_cookie( + "yunohost.admin", + new_infos, + secure=True, + secret=session_secret, + httponly=True, + # samesite="strict", # Bottle 0.12 doesn't support samesite, to be added in next versions + ) + + def get_session_cookie(self, raise_if_no_session_exists=True): + + from bottle import request + + try: + # N.B. : here we implicitly reauthenticate the cookie + # because it's signed via the session_secret + # If no session exists (or if session is invalid?) + # it's gonna return the default empty dict, + # which we interpret as an authentication failure + infos = request.get_cookie( + "yunohost.admin", secret=session_secret, default={} + ) + except Exception: + if not raise_if_no_session_exists: + return {"id": random_ascii()} + raise YunohostAuthenticationError("unable_authenticate") + + if "id" not in infos: + infos["id"] = random_ascii() + + # FIXME: Here, maybe we want to re-authenticate the session via the authenticator + # For example to check that the username authenticated is still in the admin group... + + return infos + + @staticmethod + def delete_session_cookie(self): + + from bottle import response + + response.set_cookie("yunohost.admin", "", max_age=-1) + response.delete_cookie("yunohost.admin") diff --git a/src/utils/error.py b/src/utils/error.py index 8405830e7..aa76ba67e 100644 --- a/src/utils/error.py +++ b/src/utils/error.py @@ -19,7 +19,7 @@ """ -from moulinette.core import MoulinetteError +from moulinette.core import MoulinetteError, MoulinetteAuthenticationError from moulinette import m18n @@ -60,3 +60,9 @@ class YunohostValidationError(YunohostError): def content(self): return {"error": self.strerror, "error_key": self.key, **self.kwargs} + + +class YunohostAuthenticationError(MoulinetteAuthenticationError): + + pass + From 6aaf47493d0cc26e617fe3fc6f9fe589a98666ad Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Thu, 23 Dec 2021 16:55:12 +0100 Subject: [PATCH 10/10] Not sure when that started to happen, but bottle will return an empty dict if no valid session cookie found, this shall trigger an exception --- src/authenticators/ldap_admin.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/authenticators/ldap_admin.py b/src/authenticators/ldap_admin.py index 26843c2c1..7f96165cb 100644 --- a/src/authenticators/ldap_admin.py +++ b/src/authenticators/ldap_admin.py @@ -109,6 +109,9 @@ class Authenticator(BaseAuthenticator): return {"id": random_ascii()} raise YunohostAuthenticationError("unable_authenticate") + if not infos and raise_if_no_session_exists: + raise YunohostAuthenticationError("unable_authenticate") + if "id" not in infos: infos["id"] = random_ascii()