Merge remote-tracking branch 'origin/moar_session_management_changes' into portal-api

debian/changelog

@@ -6,6 +6,7 @@ yunohost (11.0.1~alpha) unstable; urgency=low
   - [mod] debian: Moved mysql, php, and metronome from Depends to Recommends ([#1369](https://github.com/YunoHost/yunohost/pull/1369))
   - [mod] apt: Add sury by default ([#1369](https://github.com/YunoHost/yunohost/pull/1369))
   - [enh] regenconf/helpers: Better integration for postgresql ([#1369](https://github.com/YunoHost/yunohost/pull/1369))
+  - [enh] regenconf: Store regenconf cache in /var/cache/yunohost/regenconf instead of /home/yunohost.conf (00d535a6)
   - [enh] mysql: Drop super old mysql config, now rely on Debian default's one ([44c972f...144126f](https://github.com/YunoHost/yunohost/compare/44c972f2dd65...144126f56a3d))
   - [enh] upgrade: Try to implement a smarter self-upgrade mechanism to prevent/limit API downtime and related UX issues ([#1374](https://github.com/YunoHost/yunohost/pull/1374))
   - [mod] app: During app scripts (and all stuff run in hook_exec), do not inject the HOME variable if it exists. This aims to prevent inconsistencies between CLI (where HOME usually is defined) and API (where HOME doesnt exists) (f43e567b)
@@ -24,6 +25,17 @@ yunohost (11.0.1~alpha) unstable; urgency=low
 
  -- Alexandre Aubin <alex.aubin@mailoo.org>  Fri, 05 Feb 2021 00:02:38 +0100
 
+yunohost (4.3.4.2) stable; urgency=low
+
+  - [fix] yunomdns: Ignore ipv4 link-local addresses (6854f23c)
+  - [fix] backup: Fix path for multimedia restore ([#1386](https://github.com/YunoHost/yunohost/pull/1386))
+  - [fix] helpers apt/php: typo in extra php-fpm yunohost service integration (47f3c00d)
+  - [enh] helpers: Update n to 8.0.1 (d1ab1f67)
+
+  Thanks to all contributors <3 ! (ericgaspar, Kayou)
+
+ -- Alexandre Aubin <alex.aubin@mailoo.org>  Wed, 08 Dec 2021 22:04:04 +0100
+
 yunohost (4.3.4.1) stable; urgency=low
 
   - [fix] regenconf: Force permission on /etc/resolv.dnsmasq.conf to fix an issue on some setup with umask=027 (5881938c)

helpers/apt

@@ -302,6 +302,8 @@ EOF
 
         # Set the default php version back as the default version for php-cli.
         update-alternatives --set php /usr/bin/php$YNH_DEFAULT_PHP_VERSION
+    elif grep --quiet 'php' <<< "$dependencies"; then
+        ynh_app_setting_set --app=$app --key=phpversion --value=$YNH_DEFAULT_PHP_VERSION
     fi
 
     # Trigger postgresql regenconf if we may have just installed postgresql

helpers/backup

@@ -226,7 +226,7 @@ with open(sys.argv[1], 'r') as backup_file:
 #     ynh_restore_file -o "conf/nginx.conf"
 #
 # If `DEST_PATH` already exists and is lighter than 500 Mo, a backup will be made in
-# `/home/yunohost.conf/backup/`. Otherwise, the existing file is removed.
+# `/var/cache/yunohost/appconfbackup/`. Otherwise, the existing file is removed.
 #
 # if `apps/$app/etc/nginx/conf.d/$domain.d/$app.conf` exists, restore it into
 # `/etc/nginx/conf.d/$domain.d/$app.conf`
@@ -263,7 +263,7 @@ ynh_restore_file() {
     if [[ -e "${dest_path}" ]]; then
         # Check if the file/dir size is less than 500 Mo
         if [[ $(du --summarize --bytes ${dest_path} | cut --delimiter="/" --fields=1) -le "500000000" ]]; then
-            local backup_file="/home/yunohost.conf/backup/${dest_path}.backup.$(date '+%Y%m%d.%H%M%S')"
+            local backup_file="/var/cache/yunohost/appconfbackup/${dest_path}.backup.$(date '+%Y%m%d.%H%M%S')"
             mkdir --parents "$(dirname "$backup_file")"
             mv "${dest_path}" "$backup_file" # Move the current file or directory
         else
@@ -353,7 +353,7 @@ ynh_backup_if_checksum_is_different() {
     backup_file_checksum=""
     if [ -n "$checksum_value" ]; then                                                     # Proceed only if a value was stored into the app settings
         if [ -e $file ] && ! echo "$checksum_value $file" | md5sum --check --status; then # If the checksum is now different
-            backup_file_checksum="/home/yunohost.conf/backup/$file.backup.$(date '+%Y%m%d.%H%M%S')"
+            backup_file_checksum="/var/cache/yunohost/appconfbackup/$file.backup.$(date '+%Y%m%d.%H%M%S')"
             mkdir --parents "$(dirname "$backup_file_checksum")"
             cp --archive "$file" "$backup_file_checksum" # Backup the current file
             ynh_print_warn "File $file has been manually modified since the installation or last upgrade. So it has been duplicated in $backup_file_checksum"

helpers/nodejs

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-n_version=8.0.0
+n_version=8.0.1
 n_install_dir="/opt/node_n"
 node_version_path="$n_install_dir/n/versions/node"
 # N_PREFIX is the directory of n, it needs to be loaded as a environment variable.
@@ -16,7 +16,7 @@ export N_PREFIX="$n_install_dir"
 ynh_install_n() {
     # Build an app.src for n
     echo "SOURCE_URL=https://github.com/tj/n/archive/v${n_version}.tar.gz
-SOURCE_SUM=9e8879dc4f1c4c0fe4e08a108ed6c23046419b6865fe922ca5176ff7998ae6ff" >"$YNH_APP_BASEDIR/conf/n.src"
+SOURCE_SUM=8703ae88fd06ce7f2d0f4018d68bfbab7b26859ed86a86ce4b8f25d2110aee2f" >"$YNH_APP_BASEDIR/conf/n.src"
     # Download and extract n
     ynh_setup_source --dest_dir="$n_install_dir/git" --source_id=n
     # Install n

hooks/conf_regen/01-yunohost

@@ -174,12 +174,12 @@ do_post_regen() {
     ######################
 
     chmod 750 /home/admin
-    chmod 750 /home/yunohost.conf
     chmod 750 /home/yunohost.backup
     chmod 750 /home/yunohost.backup/archives
-    chown root:root /home/yunohost.conf
+    chmod 700 /var/cache/yunohost
     chown admin:root /home/yunohost.backup
     chown admin:root /home/yunohost.backup/archives
+    chown root:root /var/cache/yunohost
 
     # NB: x permission for 'others' is important for ssl-cert (and maybe mdns), otherwise slapd will fail to start because can't access the certs
     chmod 755 /etc/yunohost
@@ -195,9 +195,6 @@ do_post_regen() {
     find /etc/cron.d/yunohost-* -type f -exec chmod 644 {} \;
     find /etc/cron.*/yunohost-* -type f -exec chown root:root {} \;
 
-    chown root:root /var/cache/yunohost
-    chmod 700 /var/cache/yunohost
-
     setfacl -m g:all_users:--- /var/www
     setfacl -m g:all_users:--- /var/log/nginx
     setfacl -m g:all_users:--- /etc/yunohost

hooks/restore/18-data_multimedia

@@ -6,4 +6,6 @@ set -eu
 # Source YNH helpers
 source /usr/share/yunohost/helpers
 
-ynh_restore_file --origin_path="/home/yunohost.multimedia" --not_mandatory
+backup_dir="data/multimedia"
+
+ynh_restore_file --origin_path="${backup_dir}" --dest_path="/home/yunohost.multimedia" --not_mandatory

share/actionsmap.yml

@@ -34,7 +34,6 @@
 #############################
 _global:
     namespace: yunohost
-    cookie_name: yunohost.admin
     authentication:
         api: ldap_admin
         cli: null

src/authenticators/ldap_admin.py

@@ -8,10 +8,14 @@ import time
 
 from moulinette import m18n
 from moulinette.authentication import BaseAuthenticator
-from yunohost.utils.error import YunohostError
+from moulinette.utils.text import random_ascii
+
+from yunohost.utils.error import YunohostError, YunohostAuthenticationError
 
 logger = logging.getLogger("yunohost.authenticators.ldap_admin")
 
+session_secret = random_ascii()
+
 
 class Authenticator(BaseAuthenticator):
 
@@ -66,3 +70,60 @@ class Authenticator(BaseAuthenticator):
             # Free the connection, we don't really need it to keep it open as the point is only to check authentication...
             if con:
                 con.unbind_s()
+
+    def set_session_cookie(self, infos):
+
+        from bottle import response
+
+        assert isinstance(infos, dict)
+
+        # This allows to generate a new session id or keep the existing one
+        current_infos = self.get_session_cookie(raise_if_no_session_exists=False)
+        new_infos = {"id": current_infos["id"]}
+        new_infos.update(infos)
+
+        response.set_cookie(
+            "yunohost.admin",
+            new_infos,
+            secure=True,
+            secret=session_secret,
+            httponly=True,
+            # samesite="strict", # Bottle 0.12 doesn't support samesite, to be added in next versions
+        )
+
+    def get_session_cookie(self, raise_if_no_session_exists=True):
+
+        from bottle import request
+
+        try:
+            # N.B. : here we implicitly reauthenticate the cookie
+            # because it's signed via the session_secret
+            # If no session exists (or if session is invalid?)
+            # it's gonna return the default empty dict,
+            # which we interpret as an authentication failure
+            infos = request.get_cookie(
+                "yunohost.admin", secret=session_secret, default={}
+            )
+        except Exception:
+            if not raise_if_no_session_exists:
+                return {"id": random_ascii()}
+            raise YunohostAuthenticationError("unable_authenticate")
+
+        if not infos and raise_if_no_session_exists:
+            raise YunohostAuthenticationError("unable_authenticate")
+
+        if "id" not in infos:
+            infos["id"] = random_ascii()
+
+        # FIXME: Here, maybe we want to re-authenticate the session via the authenticator
+        # For example to check that the username authenticated is still in the admin group...
+
+        return infos
+
+    @staticmethod
+    def delete_session_cookie(self):
+
+        from bottle import response
+
+        response.set_cookie("yunohost.admin", "", max_age=-1)
+        response.delete_cookie("yunohost.admin")

src/migrations/0021_migrate_to_bullseye.py

@@ -77,6 +77,20 @@ class MyMigration(Migration):
         rm("/etc/mysql/my.cnf", force=True)
         self.apt_install("mariadb-common --reinstall -o Dpkg::Options::='--force-confmiss'")
 
+        #
+        # /usr/share/yunohost/yunohost-config/ssl/yunoCA -> /usr/share/yunohost/ssl
+        #
+        if os.path.exists("/usr/share/yunohost/yunohost-config/ssl/yunoCA"):
+            os.system("mv /usr/share/yunohost/yunohost-config/ssl/yunoCA /usr/share/yunohost/ssl")
+            rm("/usr/share/yunohost/yunohost-config", recursive=True, force=True)
+
+        #
+        # /home/yunohost.conf -> /var/cache/yunohost/regenconf
+        #
+        if os.path.exists("/home/yunohost.conf"):
+            os.system("mv /home/yunohost.conf /var/cache/yunohost/regenconf")
+            rm("/home/yunohost.conf", recursive=True, force=True)
+
         #
         # Main upgrade
         #

src/regenconf.py

@@ -35,7 +35,7 @@ from yunohost.utils.error import YunohostError
 from yunohost.log import is_unit_operation
 from yunohost.hook import hook_callback, hook_list
 
-BASE_CONF_PATH = "/home/yunohost.conf"
+BASE_CONF_PATH = "/var/cache/yunohost/regenconf"
 BACKUP_CONF_DIR = os.path.join(BASE_CONF_PATH, "backup")
 PENDING_CONF_DIR = os.path.join(BASE_CONF_PATH, "pending")
 REGEN_CONF_FILE = "/etc/yunohost/regenconf.yml"

src/service.py

@@ -705,7 +705,7 @@ def _get_services():
         if os.system(f"dpkg --list | grep -q 'ii *{package}'") != 0:
             del services[name]
 
-    php_fpm_versions = check_output(r"dpkg --list | grep -P 'ii  php\d.\d-fpm' | awk '{print $2}' | grep -o -P '\d.\d'")
+    php_fpm_versions = check_output(r"dpkg --list | grep -P 'ii  php\d.\d-fpm' | awk '{print $2}' | grep -o -P '\d.\d' || true")
     php_fpm_versions = [v for v in php_fpm_versions.split('\n') if v.strip()]
     for version in php_fpm_versions:
         services[f"php{version}-fpm"] = {

src/utils/error.py

@@ -19,7 +19,7 @@
 
 """
 
-from moulinette.core import MoulinetteError
+from moulinette.core import MoulinetteError, MoulinetteAuthenticationError
 from moulinette import m18n
 
 
@@ -60,3 +60,9 @@ class YunohostValidationError(YunohostError):
     def content(self):
 
         return {"error": self.strerror, "error_key": self.key, **self.kwargs}
+
+
+class YunohostAuthenticationError(MoulinetteAuthenticationError):
+
+    pass
+