From 86d348b3122ab28272bec7563677b76af6d6e163 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Sat, 8 Feb 2020 23:16:25 +0700 Subject: [PATCH 01/10] Using new permissions system --- manifest.json | 2 +- scripts/install | 16 ++++++++-------- scripts/upgrade | 49 +++++++++++++++++++++++++++++++++---------------- 3 files changed, 42 insertions(+), 25 deletions(-) diff --git a/manifest.json b/manifest.json index e62ad56..44a6aa9 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "url": "http://example.com" }, "requirements": { - "yunohost": ">= 3.5" + "yunohost": ">= 3.7" }, "multi_instance": true, "services": [ diff --git a/scripts/install b/scripts/install index 4cbacc8..54d74a3 100755 --- a/scripts/install +++ b/scripts/install @@ -72,7 +72,6 @@ ynh_script_progression --message="Storing installation settings..." --time --wei ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=admin --value=$admin -ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=language --value=$language #================================================= @@ -233,10 +232,7 @@ ynh_script_progression --message="Finalizing installation..." --time --weight=1 ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3" # Remove the public access -if [ $is_public -eq 0 ] -then - ynh_app_setting_delete --app=$app --key=skipped_uris -fi +ynh_app_setting_delete --app=$app --key=skipped_uris #================================================= # MODIFY A CONFIG FILE @@ -336,15 +332,19 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failreg #================================================= # SETUP SSOWAT #================================================= -ynh_script_progression --message="Configuring SSOwat..." --time --weight=1 +ynh_script_progression --message="Configuring permissions..." --time --weight=1 # Make app public if necessary if [ $is_public -eq 1 ] then - # unprotected_uris allows SSO credentials to be passed anyway. - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" + # Everyone can access the app. + # The "main" permission is automatically created before the install script. + ynh_permission_update --permission "main" --add "visitors" fi +# Only the admin can access the admin panel of the app (if the app has an admin panel) +ynh_permission_create --permission "admin" --url "/admin" --allowed $admin + #================================================= # RELOAD NGINX #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 243e85b..19a361c 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -19,7 +19,6 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) admin=$(ynh_app_setting_get --app=$app --key=admin) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) final_path=$(ynh_app_setting_get --app=$app --key=final_path) language=$(ynh_app_setting_get --app=$app --key=language) db_name=$(ynh_app_setting_get --app=$app --key=db_name) @@ -41,15 +40,6 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= ynh_script_progression --message="Ensuring downward compatibility..." --time --weight=1 -# Fix is_public as a boolean value -if [ "$is_public" = "Yes" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=1 - is_public=1 -elif [ "$is_public" = "No" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=0 - is_public=0 -fi - # If db_name doesn't exist, create it if [ -z "$db_name" ]; then db_name=$(ynh_sanitize_dbid --db_name=$app) @@ -62,6 +52,35 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi +# If nobody installed your app before 3.7, then you may +# safely remove these lines + +# Cleaning legacy permissions +is_public=$(ynh_app_setting_get --app=$app --key=is_public) +skipped_uris=$(ynh_app_setting_get --app=$app --key=skipped_uris) +unprotected_uris=$(ynh_app_setting_get --app=$app --key=unprotected_uris) +protected_uris=$(ynh_app_setting_get --app=$app --key=protected_uris) + +# Remove is_public if exists +if [ ! -z "$is_public" ]; then + ynh_app_setting_delete --app=$app --key=is_public +fi + +# Remove skipped_uris if exists +if [ ! -z "$skipped_uris" ]; then + ynh_app_setting_delete --app=$app --key=skipped_uris +fi + +# Remove unprotected_uris if exists +if [ ! -z "$unprotected_uris" ]; then + ynh_app_setting_delete --app=$app --key=unprotected_uris +fi + +# Remove protected_uris if exists +if [ ! -z "$protected_uris" ]; then + ynh_app_setting_delete --app=$app --key=protected_uris +fi + #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= @@ -192,13 +211,11 @@ chown -R root: $final_path #================================================= # SETUP SSOWAT #================================================= -ynh_script_progression --message="Upgrading SSOwat configuration..." --time --weight=1 +ynh_script_progression --message="Upgrading permissions configuration..." --time --weight=1 -# Make app public if necessary -if [ $is_public -eq 1 ] -then - # unprotected_uris allows SSO credentials to be passed anyway - ynh_app_setting_set --app=$app --key=unprotected_uris --value="/" +# Create the admin permission if needed +if ! ynh_permission_exists --permission "admin"; then + ynh_permission_create --permission "admin" --url "/admin" --allowed $admin fi #================================================= From 65e0c8e92623c50c25fffb27c53f495a6bd4bc8f Mon Sep 17 00:00:00 2001 From: Kay0u Date: Mon, 30 Mar 2020 19:07:55 +0200 Subject: [PATCH 02/10] better migration to the new permission process --- scripts/upgrade | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 19a361c..97815e3 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -52,33 +52,26 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi -# If nobody installed your app before 3.7, then you may -# safely remove these lines +### If nobody installed your app before 3.7, +### then you may safely remove these lines # Cleaning legacy permissions is_public=$(ynh_app_setting_get --app=$app --key=is_public) -skipped_uris=$(ynh_app_setting_get --app=$app --key=skipped_uris) -unprotected_uris=$(ynh_app_setting_get --app=$app --key=unprotected_uris) -protected_uris=$(ynh_app_setting_get --app=$app --key=protected_uris) -# Remove is_public if exists -if [ ! -z "$is_public" ]; then - ynh_app_setting_delete --app=$app --key=is_public -fi - -# Remove skipped_uris if exists -if [ ! -z "$skipped_uris" ]; then +if [ -n "$is_public" ]; then + # Remove skipped_uris ynh_app_setting_delete --app=$app --key=skipped_uris -fi - -# Remove unprotected_uris if exists -if [ ! -z "$unprotected_uris" ]; then + # Remove unprotected_uris ynh_app_setting_delete --app=$app --key=unprotected_uris -fi - -# Remove protected_uris if exists -if [ ! -z "$protected_uris" ]; then + # Remove protected_uris ynh_app_setting_delete --app=$app --key=protected_uris + + # Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7 + # If the app was public, add visitors again to the main permission + if [ $is_public -eq 1 ]; then + ynh_permission_update --permission "main" --add "visitors" + fi + ynh_app_setting_delete --app=$app --key=is_public fi #================================================= From e5f2a4510a02f5b18b70d8dc8af7a555dd71bc83 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 30 Mar 2020 22:56:35 +0200 Subject: [PATCH 03/10] Add public access only if already there --- scripts/upgrade | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 97815e3..544b891 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -59,17 +59,19 @@ fi is_public=$(ynh_app_setting_get --app=$app --key=is_public) if [ -n "$is_public" ]; then - # Remove skipped_uris - ynh_app_setting_delete --app=$app --key=skipped_uris # Remove unprotected_uris ynh_app_setting_delete --app=$app --key=unprotected_uris # Remove protected_uris ynh_app_setting_delete --app=$app --key=protected_uris # Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7 - # If the app was public, add visitors again to the main permission - if [ $is_public -eq 1 ]; then + # Remove skipped_uris. If the app was public, add visitors again to the main permission + if ynh_permission_has_user --permission=main --user=visitors + then + ynh_app_setting_delete --app=$app --key=skipped_uris ynh_permission_update --permission "main" --add "visitors" + else + ynh_app_setting_delete --app=$app --key=skipped_uris fi ynh_app_setting_delete --app=$app --key=is_public fi From 9b1dbbd74c142b0f3521a21a1e4abcd32a5a8683 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 30 Mar 2020 22:58:18 +0200 Subject: [PATCH 04/10] Add ynh_permission_has_user helper --- scripts/_common.sh | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/scripts/_common.sh b/scripts/_common.sh index 8bb05b4..b062844 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -18,3 +18,38 @@ pkg_dependencies="deb1 deb2" #================================================= # FUTURE OFFICIAL HELPERS #================================================= + +# Check if a permission exists +# +# While waiting for this new helper https://github.com/YunoHost/yunohost/pull/905 +# We have to use another one because the new helper use a new YunoHost command, not available for now. +# +# usage: ynh_permission_has_user --permission=permission --user=user +# | arg: -p, --permission - the permission to check +# | arg: -u, --user - the user seek in the permission +# +# example: ynh_permission_has_user --permission=main --user=visitors +# +# Requires YunoHost version 3.7.1 or higher. +ynh_permission_has_user() { + local legacy_args=pu + # Declare an array to define the options of this helper. + declare -Ar args_array=( [p]=permission= [u]=user= ) + local permission + local user + # Manage arguments with getopts + ynh_handle_getopts_args "$@" + + if ! ynh_permission_exists --permission=$permission + then + return 1 + fi + + # List all permissions + # Filter only the required permission with a multiline sed (Here a cut from the permission to the next one), remove the url and his value + perm="$(yunohost user permission list --full --output-as plain | sed --quiet "/^#$app.$permission/,/^#[[:alnum:]]/p" | sed "/^##url/,+1d")" + # Remove all lines starting by # (got from the plain output before) + allowed_users="$(echo "$perm" | grep --invert-match '^#')" + # Grep the list of users an return the result if the user is indeed into the list + echo "$allowed_users" | grep --quiet --word "$user" +} From 1e2ee098604e9772fa74098d350e00c6f7133f80 Mon Sep 17 00:00:00 2001 From: Kayou Date: Fri, 2 Oct 2020 09:27:09 +0200 Subject: [PATCH 05/10] Update _common.sh --- scripts/_common.sh | 35 ----------------------------------- 1 file changed, 35 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index b062844..8bb05b4 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -18,38 +18,3 @@ pkg_dependencies="deb1 deb2" #================================================= # FUTURE OFFICIAL HELPERS #================================================= - -# Check if a permission exists -# -# While waiting for this new helper https://github.com/YunoHost/yunohost/pull/905 -# We have to use another one because the new helper use a new YunoHost command, not available for now. -# -# usage: ynh_permission_has_user --permission=permission --user=user -# | arg: -p, --permission - the permission to check -# | arg: -u, --user - the user seek in the permission -# -# example: ynh_permission_has_user --permission=main --user=visitors -# -# Requires YunoHost version 3.7.1 or higher. -ynh_permission_has_user() { - local legacy_args=pu - # Declare an array to define the options of this helper. - declare -Ar args_array=( [p]=permission= [u]=user= ) - local permission - local user - # Manage arguments with getopts - ynh_handle_getopts_args "$@" - - if ! ynh_permission_exists --permission=$permission - then - return 1 - fi - - # List all permissions - # Filter only the required permission with a multiline sed (Here a cut from the permission to the next one), remove the url and his value - perm="$(yunohost user permission list --full --output-as plain | sed --quiet "/^#$app.$permission/,/^#[[:alnum:]]/p" | sed "/^##url/,+1d")" - # Remove all lines starting by # (got from the plain output before) - allowed_users="$(echo "$perm" | grep --invert-match '^#')" - # Grep the list of users an return the result if the user is indeed into the list - echo "$allowed_users" | grep --quiet --word "$user" -} From 9b6cc80ecc863d6269097f422f7c97b156348071 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Wed, 6 Jan 2021 13:31:32 +0100 Subject: [PATCH 06/10] Improve permissions management --- manifest.json | 2 +- scripts/install | 14 ++++++++++---- scripts/upgrade | 38 +++++++++++--------------------------- 3 files changed, 22 insertions(+), 32 deletions(-) diff --git a/manifest.json b/manifest.json index 44a6aa9..2eb84bc 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "url": "http://example.com" }, "requirements": { - "yunohost": ">= 3.7" + "yunohost": ">= 4.1.2" }, "multi_instance": true, "services": [ diff --git a/scripts/install b/scripts/install index 54d74a3..24f1a05 100755 --- a/scripts/install +++ b/scripts/install @@ -220,7 +220,8 @@ chown -R $app: $final_path # Set the app as temporarily public for curl call ynh_script_progression --message="Configuring SSOwat..." --time --weight=1 -ynh_app_setting_set --app=$app --key=skipped_uris --value="/" +# Making the app public for curl +ynh_permission_update --permission="main" --add="visitors" # Reload SSOwat config yunohost app ssowatconf @@ -232,7 +233,7 @@ ynh_script_progression --message="Finalizing installation..." --time --weight=1 ynh_local_curl "/INSTALL_PATH" "key1=value1" "key2=value2" "key3=value3" # Remove the public access -ynh_app_setting_delete --app=$app --key=skipped_uris +ynh_permission_update --permission="main" --remove="visitors" #================================================= # MODIFY A CONFIG FILE @@ -339,11 +340,16 @@ if [ $is_public -eq 1 ] then # Everyone can access the app. # The "main" permission is automatically created before the install script. - ynh_permission_update --permission "main" --add "visitors" + ynh_permission_update --permission="main" --add="visitors" fi # Only the admin can access the admin panel of the app (if the app has an admin panel) -ynh_permission_create --permission "admin" --url "/admin" --allowed $admin +ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin + +# Everyone can access to the api part +# We don't want to display the tile in the sso so we put --show_tile="false" +# And we don't want that the YunoHost Admin can remove visitors group to this permission, so we put --protected="true" +ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true" #================================================= # RELOAD NGINX diff --git a/scripts/upgrade b/scripts/upgrade index 544b891..93ca640 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -52,28 +52,22 @@ if [ -z "$final_path" ]; then ynh_app_setting_set --app=$app --key=final_path --value=$final_path fi -### If nobody installed your app before 3.7, +### If nobody installed your app before 4.1, ### then you may safely remove these lines # Cleaning legacy permissions -is_public=$(ynh_app_setting_get --app=$app --key=is_public) +if ynh_legacy_permissions_exists; then + ynh_legacy_permissions_delete_all -if [ -n "$is_public" ]; then - # Remove unprotected_uris - ynh_app_setting_delete --app=$app --key=unprotected_uris - # Remove protected_uris - ynh_app_setting_delete --app=$app --key=protected_uris - - # Removing skipped/unprotected_uris under certain conditions, remove the visitors group added during the migration process of 3.7 - # Remove skipped_uris. If the app was public, add visitors again to the main permission - if ynh_permission_has_user --permission=main --user=visitors - then - ynh_app_setting_delete --app=$app --key=skipped_uris - ynh_permission_update --permission "main" --add "visitors" - else - ynh_app_setting_delete --app=$app --key=skipped_uris - fi ynh_app_setting_delete --app=$app --key=is_public + + # Create the required permissions + ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin +fi + +# Create a permission if needed +if ! ynh_permission_exists --permission="api"; then + ynh_permission_create --permission="api" --url "/api" --allowed="visitors" --show_tile="false" --protected="true" fi #================================================= @@ -203,16 +197,6 @@ ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failreg # Set permissions on app files chown -R root: $final_path -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading permissions configuration..." --time --weight=1 - -# Create the admin permission if needed -if ! ynh_permission_exists --permission "admin"; then - ynh_permission_create --permission "admin" --url "/admin" --allowed $admin -fi - #================================================= # START SYSTEMD SERVICE #================================================= From f4e7ffa3db0b686c16ea30c7945591bbd3cbb7a7 Mon Sep 17 00:00:00 2001 From: Kay0u Date: Wed, 6 Jan 2021 13:39:27 +0100 Subject: [PATCH 07/10] Typo --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 1d710ff..924f75d 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -61,7 +61,7 @@ ynh_script_progression --message="Ensuring downward compatibility..." --time --w ### If nobody installed your app before 4.1, ### then you may safely remove these lines -## Cleaning legacy permissions +# Cleaning legacy permissions if ynh_legacy_permissions_exists; then ynh_legacy_permissions_delete_all From 07539cb90f0cd1da5ef578294d7c482de4d10fa4 Mon Sep 17 00:00:00 2001 From: Kayou Date: Thu, 7 Jan 2021 10:09:49 +0100 Subject: [PATCH 08/10] Update manifest.json --- manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest.json b/manifest.json index 14e38e3..a04a82a 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ "url": "http://example.com" }, "requirements": { - "yunohost": ">= 4.1.2" + "yunohost": ">= 4.1.3" }, "multi_instance": true, "services": [ From 3c263428b1349bc29291094a499e1f4bbbf2ab50 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 10 Jan 2021 18:54:28 +0100 Subject: [PATCH 09/10] Update scripts/upgrade Co-authored-by: Kayou --- scripts/upgrade | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index 924f75d..160f3cc 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -67,6 +67,9 @@ if ynh_legacy_permissions_exists; then ynh_app_setting_delete --app=$app --key=is_public +fi + +if ! ynh_permission_exists --permission="admin"; then # Create the required permissions ynh_permission_create --permission="admin" --url="/admin" --allowed=$admin fi From bd44d211e2d57ef1c0643f024ab6ed19f89fce39 Mon Sep 17 00:00:00 2001 From: Kayou Date: Sun, 10 Jan 2021 20:23:32 +0100 Subject: [PATCH 10/10] Apply suggestions from code review --- scripts/upgrade | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index 160f3cc..fff0363 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -66,7 +66,6 @@ if ynh_legacy_permissions_exists; then ynh_legacy_permissions_delete_all ynh_app_setting_delete --app=$app --key=is_public - fi if ! ynh_permission_exists --permission="admin"; then