From be91c1c2aba7f572fa1c550f4254f6461268b247 Mon Sep 17 00:00:00 2001 From: Miraty Date: Thu, 3 Mar 2022 17:58:37 +0100 Subject: [PATCH] Update to latest packaging format --- README.md | 54 ++++---- README_fr.md | 52 ++++---- conf/nginx.conf | 16 +-- conf/php-fpm.conf | 2 +- .../screenshots/screenshot.png | Bin manifest.json | 29 ++--- scripts/backup | 25 ++-- scripts/change_url | 41 +++++-- scripts/install | 102 ++++++--------- scripts/remove | 12 +- scripts/restore | 61 ++++----- scripts/upgrade | 116 ++++-------------- 12 files changed, 191 insertions(+), 319 deletions(-) rename screenshot.png => doc/screenshots/screenshot.png (100%) diff --git a/README.md b/README.md index 6262d00..1db2b9a 100755 --- a/README.md +++ b/README.md @@ -1,8 +1,12 @@ + + # LibreQR for YunoHost [![Integration level](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) - -[![Install LibreQR with YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=qr) +[![Install LibreQR with YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=qr) *[Lire ce readme en français.](./README_fr.md)* @@ -11,41 +15,31 @@ If you don't have YunoHost, please consult [the guide](https://yunohost.org/#/in ## Overview -A Web interface for generating QR codes in PHP. +Web interface for generating QR codes -**Shipped version:** 1.3.0 +**Shipped version:** 1.3.0~ynh1 -## Screenshot +**Demo:** https://qr.antopie.org -![](screenshot.png) +## Screenshots -## Demo +![](./doc/screenshots/screenshot.png) -* [Official demo](https://qr.antopie.org) +## Documentation and resources -## Configuration +* Upstream app code repository: https://code.antopie.org/miraty/libreqr +* YunoHost documentation for this app: https://yunohost.org/app_qr +* Report a bug: https://code.antopie.org/miraty/qr_ynh/issues -You can configure this app by editing `/var/www/qr/config.inc.php`. +## Developer info -## YunoHost specific features +Please send your pull request to the [testing branch](https://code.antopie.org/miraty/qr_ynh/src/branch/testing). -### Multi-user support +To try the testing branch, please proceed like that. +``` +sudo yunohost app install https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +or +sudo yunohost app upgrade qr -u https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +``` -* There is no authentication in the app -* The app can be installed multiple time - -### Supported architectures - -* x86-64 - [![Build Status](https://ci-apps.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps.yunohost.org/ci/apps/qr/) -* ARMv8-A - [![Build Status](https://ci-apps-arm.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps-arm.yunohost.org/ci/apps/qr/) - -## Additional information - -The application is called LibreQR, but its technical ID in YunoHost is `qr` for historical reasons. - -## Links - - * Report a bug in this package: - * Report a bug in LibreQR: - * LibreQR repository: - * YunoHost website: +**More info regarding app packaging:** https://yunohost.org/packaging_apps \ No newline at end of file diff --git a/README_fr.md b/README_fr.md index 35377a7..edc2602 100755 --- a/README_fr.md +++ b/README_fr.md @@ -1,51 +1,41 @@ # LibreQR pour YunoHost [![Niveau d'intégration](https://dash.yunohost.org/integration/qr.svg)](https://dash.yunohost.org/appci/app/qr) ![](https://ci-apps.yunohost.org/ci/badges/qr.status.svg) ![](https://ci-apps.yunohost.org/ci/badges/qr.maintain.svg) - -[![Installer LibreQR avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.png)](https://install-app.yunohost.org/?app=qr) +[![Installer LibreQR avec YunoHost](https://install-app.yunohost.org/install-with-yunohost.svg)](https://install-app.yunohost.org/?app=qr) *[Read this readme in english.](./README.md)* +*[Lire ce readme en français.](./README_fr.md)* > *Ce package vous permet d'installer LibreQR rapidement et simplement sur un serveur YunoHost. -Si vous n'avez pas YunoHost, consultez [le guide](https://yunohost.org/#/install) pour apprendre comment l'installer.* +Si vous n'avez pas YunoHost, regardez [ici](https://yunohost.org/#/install) pour savoir comment l'installer et en profiter.* ## Vue d'ensemble -Une interface Web pour générer des codes QR en PHP. +Interface Web pour générer des codes QR -**Version incluse :** 1.3.0 +**Version incluse :** 1.3.0~ynh1 -## Capture d'écran +**Démo :** https://qr.antopie.org -![](screenshot.png) +## Captures d'écran -## Démo +![](./doc/screenshots/screenshot.png) -* [Démo officielle](https://qr.antopie.org) +## Documentations et ressources -## Configuration +* Dépôt de code officiel de l'app : https://code.antopie.org/miraty/libreqr +* Documentation YunoHost pour cette app : https://yunohost.org/app_qr +* Signaler un bug : https://code.antopie.org/miraty/qr_ynh/issues -Vous pouvez configurer cette application en modifiant `/var/www/qr/config.inc.php`. +## Informations pour les développeurs -## Caractéristiques spécifiques YunoHost +Merci de faire vos pull request sur la [branche testing](https://code.antopie.org/miraty/qr_ynh/src/branch/testing). -### Support multi-utilisateur +Pour essayer la branche testing, procédez comme suit. +``` +sudo yunohost app install https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +ou +sudo yunohost app upgrade qr -u https://code.antopie.org/miraty/qr_ynh/src/branch/testing --debug +``` -* Il n'y a pas d'authentification dans l'application -* L'application peut-être installée plusieurs fois - -### Architectures supportées - -* x86-64 - [![Build Status](https://ci-apps.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps.yunohost.org/ci/apps/qr/) -* ARMv8-A - [![Build Status](https://ci-apps-arm.yunohost.org/ci/logs/qr%20%28Apps%29.svg)](https://ci-apps-arm.yunohost.org/ci/apps/qr/) - -## Informations additionnelles - -L'application s'appelle LibreQR, mais son identifiant technique dans YunoHost est `qr` pour des raisons historiques. - -## Liens - - * Signaler un bug dans ce paquet : - * Signaler un bug dans LibreQR : - * Dépôt de LibreQR : - * Site web de YunoHost : +**Plus d'infos sur le packaging d'applications :** https://yunohost.org/packaging_apps \ No newline at end of file diff --git a/conf/nginx.conf b/conf/nginx.conf index 37de41d..154622a 100755 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -2,19 +2,10 @@ location __PATH__/ { # Path to source - alias __FINALPATH__/ ; + alias __FINALPATH__/; - # Force usage of https - if ($scheme = http) { - rewrite ^ https://$server_name$request_uri? permanent; - } - -### Example PHP configuration (remove it if not used) index index.php; - # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file - #client_max_body_size 50M; - try_files $uri $uri/ index.php; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; @@ -26,7 +17,10 @@ location __PATH__/ { fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param SCRIPT_FILENAME $request_filename; } -### End of PHP configuration part + + # Security related headers + more_set_headers "Referrer-Policy: no-referrer"; + more_set_headers "Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; manifest-src 'self'; frame-ancestors 'none';"; # Include SSOWAT user panel. include conf.d/yunohost_panel.conf.inc; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index ab1a471..95f5229 100755 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -353,7 +353,7 @@ request_terminate_timeout = 1d ; possible. However, all PHP paths will be relative to the chroot ; (error_log, sessions.save_path, ...). ; Default Value: not set -;chroot = +;chroot = __FINALPATH__ ; Chdir to this directory at the start. ; Note: relative path can be used. diff --git a/screenshot.png b/doc/screenshots/screenshot.png similarity index 100% rename from screenshot.png rename to doc/screenshots/screenshot.png diff --git a/manifest.json b/manifest.json index 21178f9..264caa3 100755 --- a/manifest.json +++ b/manifest.json @@ -8,6 +8,11 @@ }, "version": "1.3.0~ynh1", "url": "https://code.antopie.org/miraty/libreqr", + "upstream": { + "license": "AGPL-3.0-or-later", + "demo": "https://qr.antopie.org", + "code": "https://code.antopie.org/miraty/libreqr" + }, "license": "AGPL-3.0-or-later", "maintainer": { "name": "Miraty", @@ -15,7 +20,7 @@ "url": "https://miraty.antopie.org" }, "requirements": { - "yunohost": ">= 4.0" + "yunohost": ">= 4.1.2" }, "multi_instance": true, "services": [ @@ -26,31 +31,13 @@ "install" : [ { "name": "domain", - "type": "domain", - "ask": { - "en": "Choose a domain name for LibreQR", - "fr": "Choisissez un nom de domaine pour LibreQR" - }, - "example": "qr.domain.tld" + "type": "domain" }, { "name": "path", "type": "path", - "ask": { - "en": "Choose a path for LibreQR", - "fr": "Choisissez un chemin pour LibreQR" - }, "example": "/qr", - "default": "/qr" - }, - { - "name": "is_public", - "type": "boolean", - "ask": { - "en": "Is it a public application?", - "fr": "Est-ce une application publique ?" - }, - "default": true + "default": "/" } ] } diff --git a/scripts/backup b/scripts/backup index 6bcde3e..09b69eb 100755 --- a/scripts/backup +++ b/scripts/backup @@ -6,8 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= @@ -24,39 +22,46 @@ ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." + +ynh_print_info --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME final_path=$(ynh_app_setting_get --app=$app --key=final_path) domain=$(ynh_app_setting_get --app=$app --key=domain) -#db_name=$(ynh_app_setting_get --app=$app --key=db_name) +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= -# STANDARD BACKUP STEPS +# DECLARE DATA AND CONF FILES TO BACKUP +#================================================= + +ynh_print_info --message="Declaring files to be backed up..." + +### N.B. : the following 'ynh_backup' calls are only a *declaration* of what needs +### to be backuped and not an actual copy of any file. The actual backup that +### creates and fill the archive with the files happens in the core after this +### script is called. Hence ynh_backups calls takes basically 0 seconds to run. + #================================================= # BACKUP THE APP MAIN DIR #================================================= -ynh_script_progression --message="Backing up the main app directory..." ynh_backup --src_path="$final_path" #================================================= # BACKUP THE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Backing up nginx web server configuration..." ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" #================================================= # BACKUP THE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Backing up php-fpm configuration..." -ynh_backup --src_path="/etc/php/7.3/fpm/pool.d/$app.conf" +ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" #================================================= # END OF SCRIPT #================================================= -ynh_script_progression --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." --last +ynh_print_info --message="Backup script completed for $app. (YunoHost will then actually copy those files to the archive)." diff --git a/scripts/change_url b/scripts/change_url index eeee689..dd445b0 100755 --- a/scripts/change_url +++ b/scripts/change_url @@ -6,7 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= @@ -24,15 +23,29 @@ app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= + ynh_script_progression --message="Loading installation settings..." # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) -# Add settings here as needed by your application -#db_name=$(ynh_app_setting_get --app=$app --key=db_name) -#db_user=$db_name -#db_pwd=$(ynh_app_setting_get --app=$app --key=db_pwd) +#================================================= +# BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP +#================================================= + +ynh_script_progression --message="Backing up the app before changing its URL (may take a while)..." --time --weight=1 + +# Backup the current version of the app +ynh_backup_before_upgrade +ynh_clean_setup () { + # Remove the new domain config file, the remove script won't do it as it doesn't know yet its location. + ynh_secure_remove --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" + + # Restore it if the upgrade fails + ynh_restore_upgradebackup +} +# Exit if an error occurs during the execution of the script +ynh_abort_if_errors #================================================= # CHECK WHICH PARTS SHOULD BE CHANGED @@ -56,23 +69,24 @@ fi #================================================= # MODIFY URL IN NGINX CONF #================================================= -ynh_script_progression --message="Updating nginx web server configuration..." + +ynh_script_progression --message="Updating NGINX web server configuration..." nginx_conf_path=/etc/nginx/conf.d/$old_domain.d/$app.conf -# Change the path in the nginx config file +# Change the path in the NGINX config file if [ $change_path -eq 1 ] then - # Make a backup of the original nginx config file if modified + # Make a backup of the original NGINX config file if modified ynh_backup_if_checksum_is_different --file="$nginx_conf_path" - # Set global variables for nginx helper + # Set global variables for NGINX helper domain="$old_domain" path_url="$new_path" - # Create a dedicated nginx config + # Create a dedicated NGINX config ynh_add_nginx_config fi -# Change the domain for nginx +# Change the domain for NGINX if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location @@ -85,7 +99,8 @@ fi #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." + +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload @@ -93,4 +108,4 @@ ynh_systemd_action --service_name=nginx --action=reload # END OF SCRIPT #================================================= -ynh_script_progression --message="Change of URL completed for $app" --time --last +ynh_script_progression --message="Change of URL completed for $app" --last diff --git a/scripts/install b/scripts/install index b5800e5..0476c67 100755 --- a/scripts/install +++ b/scripts/install @@ -6,17 +6,12 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= # MANAGE SCRIPT FAILURE #================================================= -ynh_clean_setup () { - ### Remove this function if there's nothing to clean before calling the remove script. - true -} # Exit if an error occurs during the execution of the script ynh_abort_if_errors @@ -26,18 +21,17 @@ ynh_abort_if_errors domain=$YNH_APP_ARG_DOMAIN path_url=$YNH_APP_ARG_PATH -is_public=$YNH_APP_ARG_IS_PUBLIC ### If it's a multi-instance app, meaning it can be installed several times independently ### The id of the app as stated in the manifest is available as $YNH_APP_ID -### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2", ...) +### The instance number is available as $YNH_APP_INSTANCE_NUMBER (equals "1", "2"...) ### The app instance name is available as $YNH_APP_INSTANCE_NAME ### - the first time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample ### - the second time the app is installed, YNH_APP_INSTANCE_NAME = ynhexample__2 -### - ynhexample__{N} for the subsequent installations, with N=3,4, ... +### - ynhexample__{N} for the subsequent installations, with N=3,4... ### The app instance name is probably what interests you most, since this is ### guaranteed to be unique. This is a good unique identifier to define installation path, -### db names, ... +### db names... app=$YNH_APP_INSTANCE_NAME #================================================= @@ -53,8 +47,8 @@ app=$YNH_APP_INSTANCE_NAME ### The execution time is given for the duration since the previous call. So the weight should be applied to this previous call. ynh_script_progression --message="Validating installation parameters..." -### If the app uses nginx as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app". -### If the app provides an internal web server (or uses another application server such as uwsgi), the final path should be "/opt/yunohost/$app" +### If the app uses NGINX as web server (written in HTML/PHP in most cases), the final path should be "/var/www/$app". +### If the app provides an internal web server (or uses another application server such as uWSGI), the final path should be "/opt/yunohost/$app" final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" @@ -64,100 +58,76 @@ ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url #================================================= # STORE SETTINGS FROM MANIFEST #================================================= + ynh_script_progression --message="Storing installation settings..." ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url -ynh_app_setting_set --app=$app --key=is_public --value=$is_public -ynh_app_setting_set --app=$app --key=final_path --value=$final_path #================================================= # STANDARD MODIFICATIONS #================================================= +#================================================= +# CREATE DEDICATED USER +#================================================= + +ynh_script_progression --message="Configuring system user..." + +# Create a system user +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE #================================================= + ynh_script_progression --message="Setting up source files..." ### `ynh_setup_source` is used to install an app from a zip or tar.gz file, ### downloaded from an upstream source, like a git repository. ### `ynh_setup_source` use the file conf/app.src +ynh_app_setting_set --app=$app --key=final_path --value=$final_path # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" +# FIXME: this should be managed by the core in the future +# Here, as a packager, you may have to tweak the ownerhsip/permissions +# such that the appropriate users (e.g. maybe www-data) can access +# files in some cases. +# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - +# this will be treated as a security issue. +chmod -R 440 "$final_path" +find "$final_path" -type d | xargs chmod 110 +chmod 750 "$final_path"/temp +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Configuring nginx web server..." + +ynh_script_progression --message="Configuring NGINX web server..." ### `ynh_add_nginx_config` will use the file conf/nginx.conf -# Create a dedicated nginx config +# Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Configuring system user..." - -# Create a system user -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= -ynh_script_progression "Configuring php-fpm..." -### `ynh_add_fpm_config` is used to set up a PHP config. -### You can remove it if your app doesn't use PHP. -### `ynh_add_fpm_config` will use the files conf/php-fpm.conf and conf/php-fpm.ini -### If you're not using these lines: -### - You can remove these files in conf/. -### - Remove the section "BACKUP THE PHP-FPM CONFIGURATION" in the backup script -### - Remove also the section "REMOVE PHP-FPM CONFIGURATION" in the remove script -### - As well as the section "RESTORE THE PHP-FPM CONFIGURATION" in the restore script -### With the reload at the end of the script. -### - And the section "PHP-FPM CONFIGURATION" in the upgrade script +ynh_script_progression --message="Configuring PHP-FPM..." -# Create a dedicated php-fpm config +# Create a dedicated PHP-FPM config ynh_add_fpm_config #================================================= -# GENERIC FINALIZATION -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= - -### For security reason, any app should set the permissions to root: before anything else. -### Then, if write authorization is needed, any access should be given only to directories -### that really need such authorization. - -# Set permissions to app files -chown -R root: $final_path -find $final_path -type f | xargs chmod 644 -find $final_path -type d | xargs chmod 755 - -# For temp subdir, the user must have write permissions -mkdir -p $final_path/temp -chown -R $app:root $final_path/temp -chmod 711 $final_path/temp - -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Configuring SSOwat..." - -# Make app public if necessary -if [ $is_public -eq 1 ] -then - ynh_permission_update --permission "main" --add visitors -fi - +# GENERIC FINALIZATIONs #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading nginx web server..." + +ynh_script_progression --message="Reloading NGINX web server..." ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/remove b/scripts/remove index ee40376..d4d1190 100755 --- a/scripts/remove +++ b/scripts/remove @@ -6,7 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= @@ -17,7 +16,6 @@ ynh_script_progression --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) -#port=$(ynh_app_setting_get --app=$app --key=port) final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= @@ -34,21 +32,19 @@ ynh_secure_remove --file="$final_path" #================================================= # REMOVE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Removing nginx web server configuration..." +ynh_script_progression --message="Removing NGINX web server configuration..." -# Remove the dedicated nginx config +# Remove the dedicated NGINX config ynh_remove_nginx_config #================================================= # REMOVE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Removing php-fpm configuration..." +ynh_script_progression --message="Removing PHP-FPM configuration..." -# Remove the dedicated php-fpm config +# Remove the dedicated PHP-FPM config ynh_remove_fpm_config -ynh_systemd_action --action=restart --service_name=php7.3-fpm - #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/restore b/scripts/restore index c440d16..fae3895 100755 --- a/scripts/restore +++ b/scripts/restore @@ -6,8 +6,6 @@ # IMPORT GENERIC HELPERS #================================================= -#Keep this path for calling _common.sh inside the execution's context of backup and restore scripts -source ../settings/scripts/_common.sh source /usr/share/yunohost/helpers #================================================= @@ -24,32 +22,34 @@ ynh_abort_if_errors #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading settings..." +ynh_script_progression --message="Loading installation settings..." --weight=1 app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) final_path=$(ynh_app_setting_get --app=$app --key=final_path) +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # CHECK IF THE APP CAN BE RESTORED -#================================================= -ynh_script_progression --message="Validating restoration parameters..." - -ynh_webpath_available --domain=$domain --path_url=$path_url \ - || ynh_die --message="Path not available: ${domain}${path_url}" -test ! -d $final_path \ - || ynh_die --message="There is already a directory: $final_path " - #================================================= # STANDARD RESTORATION STEPS #================================================= # RESTORE THE NGINX CONFIGURATION #================================================= +ynh_script_progression --message="Restoring the NGINX configuration..." --weight=1 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +#================================================= +# RECREATE THE DEDICATED USER +#================================================= +ynh_script_progression --message="Recreating the dedicated system user..." + +# Create the dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" + #================================================= # RESTORE THE APP MAIN DIR #================================================= @@ -57,31 +57,16 @@ ynh_script_progression --message="Restoring the app main directory..." ynh_restore_file --origin_path="$final_path" -#================================================= -# RECREATE THE DEDICATED USER -#================================================= -ynh_script_progression --message="Recreating the dedicated system user..." - -# Create the dedicated user (if not existing) -ynh_system_user_create --username=$app - -#================================================= -# RESTORE USER RIGHTS -#================================================= - -### For security reason, any app should set the permissions to root: before anything else. -### Then, if write authorization is needed, any access should be given only to directories -### that really need such authorization. - -# Set permissions to app files -chown -R root: $final_path -find $final_path -type f | xargs chmod 644 -find $final_path -type d | xargs chmod 755 - -# For temp subdir, the user must have write permissions -mkdir -p $final_path/temp -chown -R $app:root $final_path/temp -chmod 711 $final_path/temp +# FIXME: this should be managed by the core in the future +# Here, as a packager, you may have to tweak the ownerhsip/permissions +# such that the appropriate users (e.g. maybe www-data) can access +# files in some cases. +# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - +# this will be treated as a security issue. +chmod -R 440 "$final_path" +find "$final_path" -type d | xargs chmod 110 +chmod 750 "$final_path"/temp +chown -R $app:www-data "$final_path" #================================================= # RESTORE THE PHP-FPM CONFIGURATION @@ -94,9 +79,9 @@ ynh_restore_file --origin_path="/etc/php/7.3/fpm/pool.d/$app.conf" #================================================= # RELOAD NGINX AND PHP-FPM #================================================= -ynh_script_progression --message="Reloading nginx web server and php-fpm..." +ynh_script_progression --message="Reloading NGINX web server and PHP-FPM..." -ynh_systemd_action --service_name=php7.3-fpm --action=reload +ynh_systemd_action --service_name=php$phpversion-fpm --action=reload ynh_systemd_action --service_name=nginx --action=reload #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 4862fcc..ef12088 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -6,19 +6,18 @@ # IMPORT GENERIC HELPERS #================================================= -source _common.sh source /usr/share/yunohost/helpers #================================================= # LOAD SETTINGS #================================================= + ynh_script_progression --message="Loading installation settings..." app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) path_url=$(ynh_app_setting_get --app=$app --key=path) -is_public=$(ynh_app_setting_get --app=$app --key=is_public) final_path=$(ynh_app_setting_get --app=$app --key=final_path) #================================================= @@ -33,29 +32,10 @@ final_path=$(ynh_app_setting_get --app=$app --key=final_path) ### UPGRADE_APP should be used to upgrade the core app only if there's an upgrade to do. upgrade_type=$(ynh_check_app_version_changed) -#================================================= -# ENSURE DOWNWARD COMPATIBILITY -#================================================= -ynh_script_progression --message="Ensuring downward compatibility..." - -# Fix is_public as a boolean value -if [ "$is_public" = "Yes" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=1 - is_public=1 -elif [ "$is_public" = "No" ]; then - ynh_app_setting_set --app=$app --key=is_public --value=0 - is_public=0 -fi - -# If final_path doesn't exist, create it -if [ -z "$final_path" ]; then - final_path=/var/www/$app - ynh_app_setting_set --app=$app --key=final_path --value=$final_path -fi - #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= + ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." # Backup the current version of the app @@ -70,6 +50,13 @@ ynh_abort_if_errors #================================================= # STANDARD UPGRADE STEPS #================================================= +# CREATE DEDICATED USER +#================================================= + +ynh_script_progression --message="Making sure dedicated system user exists..." + +# Create a dedicated user (if not existing) +ynh_system_user_create --username=$app --home_dir="$final_path" #================================================= # DOWNLOAD, CHECK AND UNPACK SOURCE @@ -84,88 +71,37 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$final_path" - fi +# FIXME: this should be managed by the core in the future +# Here, as a packager, you may have to tweak the ownerhsip/permissions +# such that the appropriate users (e.g. maybe www-data) can access +# files in some cases. +# But FOR THE LOVE OF GOD, do not allow r/x for "others" on the entire folder - +# this will be treated as a security issue. +chmod -R 440 "$final_path" +find "$final_path" -type d | xargs chmod 110 +chmod 750 "$final_path"/temp +chown -R $app:www-data "$final_path" + #================================================= # NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Upgrading nginx web server configuration..." -# Create a dedicated nginx config +ynh_script_progression --message="Upgrading NGINX web server configuration..." + +# Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# UPGRADE DEPENDENCIES -#================================================= -#ynh_script_progression --message="Upgrading dependencies..." - -#ynh_install_app_dependencies $pkg_dependencies - -#================================================= -# CREATE DEDICATED USER -#================================================= -ynh_script_progression --message="Making sure dedicated system user exists..." - -# Create a dedicated user (if not existing) -ynh_system_user_create --username=$app - #================================================= # PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Upgrading php-fpm configuration..." -# Create a dedicated php-fpm config +ynh_script_progression --message="Upgrading PHP-FPM configuration..." + +# Create a dedicated PHP-FPM config ynh_add_fpm_config -#================================================= -# STORE THE CONFIG FILE CHECKSUM -#================================================= - -### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script. -### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it. -ynh_backup_if_checksum_is_different --file="$final_path/config.inc.php" -# Recalculate and store the checksum of the file for the next upgrade. -ynh_store_file_checksum --file="$final_path/config.inc.php" - -#================================================= -# GENERIC FINALIZATION -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= - -### For security reason, any app should set the permissions to root: before anything else. -### Then, if write authorization is needed, any access should be given only to directories -### that really need such authorization. - -# Set permissions to app files -chown -R root: $final_path -find $final_path -type f | xargs chmod 644 -find $final_path -type d | xargs chmod 755 - -# For temp subdir, the user must have write permissions -mkdir -p $final_path/temp -chown -R $app:root $final_path/temp -chmod 711 $final_path/temp - -#================================================= -# SETUP SSOWAT -#================================================= -ynh_script_progression --message="Upgrading SSOwat configuration..." - -# Make app public if necessary -if [ $is_public -eq 1 ] -then - ynh_permission_update --permission "main" --add visitors -fi - -#================================================= -# RELOAD NGINX -#================================================= -ynh_script_progression --message="Reloading nginx web server..." - -ynh_systemd_action --service_name=nginx --action=reload - #================================================= # END OF SCRIPT #=================================================