allow yunohost admin users to access forgejo admin page

This commit is contained in:
Emmanuel Averty 2023-07-05 16:20:06 +02:00 committed by grosmanal
parent 03643d342e
commit be9eeb8a5b
10 changed files with 171 additions and 13 deletions

View file

@ -1,14 +1,10 @@
## Additional informations ## Additional informations
### Known issue about admin access ### User synchronization
This package ask during its installation which group of users should be considered as forgejo administrators. These users should be able to access the admin page of forgejo. But they won't :( In order to allow access to Forgejo admin section, YunoHost users are automaticaly synchronized with Forgejo's.
Two forgejo features are not yet compatible : You can use «Forgejo (admin)» permission to manage which user is considered as forgejo admin.
- the reverse proxy authentication (which allows yunohost user to be automatically logged in forgejo)
- the login source (which tells forgejo to check yunohost users base to know if it is an admin or not)
The choice have been done to keep the reverse proxy authentication. But an [issue](https://codeberg.org/forgejo/forgejo/issues/930) is created to have both features. **Known issue** : when a user is added to a group (e.g. the one with «Forgejo (admin)» permission), the synchronization is not triggered by YunoHost. You have to update a user (without any modification) to trigger it. (https://github.com/YunoHost/issues/issues/2213)
In conclusion, this forgejo installation does not (yet) allow to access the forgejo admin page.
### Notes on SSH usage ### Notes on SSH usage

20
hooks/post_app_addaccess Normal file
View file

@ -0,0 +1,20 @@
#!/bin/bash
# IMPORT GENERIC HELPERS
source /usr/share/yunohost/helpers
pwd=$(dirname $0)
filename=$(basename $0)
# Set vars for following script
# The file name is <priority>-<app>
app=${filename#*-}
domain=$(ynh_app_setting_get --app=$app --key=domain)
path=$(ynh_app_setting_get --app=$app --key=path)
# Load common variables and helpers
source ${pwd}/../../apps/${app}/scripts/_common.sh
synchronize_users

View file

@ -0,0 +1,20 @@
#!/bin/bash
# IMPORT GENERIC HELPERS
source /usr/share/yunohost/helpers
pwd=$(dirname $0)
filename=$(basename $0)
# Set vars for following script
# The file name is <priority>-<app>
app=${filename#*-}
domain=$(ynh_app_setting_get --app=$app --key=domain)
path=$(ynh_app_setting_get --app=$app --key=path)
# Load common variables and helpers
source ${pwd}/../../apps/${app}/scripts/_common.sh
synchronize_users

20
hooks/post_user_create Normal file
View file

@ -0,0 +1,20 @@
#!/bin/bash
# IMPORT GENERIC HELPERS
source /usr/share/yunohost/helpers
pwd=$(dirname $0)
filename=$(basename $0)
# Set vars for following script
# The file name is <priority>-<app>
app=${filename#*-}
domain=$(ynh_app_setting_get --app=$app --key=domain)
path=$(ynh_app_setting_get --app=$app --key=path)
# Load common variables and helpers
source ${pwd}/../../apps/${app}/scripts/_common.sh
synchronize_users

20
hooks/post_user_delete Normal file
View file

@ -0,0 +1,20 @@
#!/bin/bash
# IMPORT GENERIC HELPERS
source /usr/share/yunohost/helpers
pwd=$(dirname $0)
filename=$(basename $0)
# Set vars for following script
# The file name is <priority>-<app>
app=${filename#*-}
domain=$(ynh_app_setting_get --app=$app --key=domain)
path=$(ynh_app_setting_get --app=$app --key=path)
# Load common variables and helpers
source ${pwd}/../../apps/${app}/scripts/_common.sh
synchronize_users

24
hooks/post_user_update Normal file
View file

@ -0,0 +1,24 @@
#!/bin/bash
###
# This hook is only used because yunohost doesn't trigger any hook when adding a user to a group (e.g. admin)
# After adding a user to a group, one should update a user to trigger this hook (https://forum.yunohost.org/t/hook-when-a-user-is-added-in-a-group/25437)
# IMPORT GENERIC HELPERS
source /usr/share/yunohost/helpers
pwd=$(dirname $0)
filename=$(basename $0)
# Set vars for following script
# The file name is <priority>-<app>
app=${filename#*-}
domain=$(ynh_app_setting_get --app=$app --key=domain)
path=$(ynh_app_setting_get --app=$app --key=path)
# Load common variables and helpers
source ${pwd}/../../apps/${app}/scripts/_common.sh
synchronize_users

View file

@ -5,7 +5,7 @@ name = "Forgejo"
description.en = "Lightweight software forge" description.en = "Lightweight software forge"
description.fr = "Forge logiciel légère" description.fr = "Forge logiciel légère"
version = "1.19.3-0~ynh2" version = "1.19.3-0~ynh3"
maintainers = ["Emmanuel Averty"] maintainers = ["Emmanuel Averty"]

View file

@ -5,7 +5,42 @@
#================================================= #=================================================
function set_forgejo_login_source() { function set_forgejo_login_source() {
ynh_print_info --message="Creating forgejo login source"
pushd "$install_dir" pushd "$install_dir"
ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail" ynh_exec_as $app ./forgejo admin auth add-ldap-simple --security-protocol "Unencrypted" --name "YunoHost LDAP" --host "localhost" --port "389" --skip-tls-verify --user-search-base "ou=users,dc=yunohost,dc=org" --user-dn "uid=%s,ou=Users,dc=yunohost,dc=org" --user-filter "(&(objectclass=posixAccount)(uid=%s)(permission=cn=$app.main,ou=permission,dc=yunohost,dc=org))" --admin-filter "(permission=cn=forgejo.admin,ou=permission,dc=yunohost,dc=org)" --username-attribute "uid" --firstname-attribute "givenName" --surname-attribute "sn" --email-attribute "mail"
popd popd
}
function enable_login_source_sync() {
ynh_print_info --message="Set forgejo login source as synchronizable"
# Enable login source synchronisation manualy because forgejo command does not allow it (https://codeberg.org/forgejo/forgejo/issues/952)
ynh_psql_execute_as_root --database $db_name --sql "update login_source set is_sync_enabled = true where type = 5 and name = 'YunoHost LDAP'"
}
function create_forgejo_api_user() {
ynh_print_info --message="Creating forgejo api user"
forgejo_api_user=yunohost_api
forgejo_api_pwd=$(ynh_string_random --length=24)
ynh_app_setting_set --app=$app --key=forgejo_api_user --value=$forgejo_api_user
ynh_app_setting_set --app=$app --key=forgejo_api_pwd --value=$forgejo_api_pwd
pushd "$install_dir"
ynh_exec_as $app ./forgejo admin user create --username $forgejo_api_user --password $forgejo_api_pwd --email admin@${domain} --admin --must-change-password=false
forgejo_api_token=$(ynh_exec_as $app ./forgejo admin user generate-access-token --username $forgejo_api_user --token-name "admin" --scopes "sudo" --raw | tail -1)
ynh_app_setting_set --app=$app --key=forgejo_api_token --value=$forgejo_api_token
popd
}
function set_users_login_source() {
# Previously created users have «Local» login source. It should be «YunoHost LDAP»
for username in $(ynh_user_list); do
ynh_print_info --message="Updating forgejo user login type for ${username}"
ynh_psql_execute_as_root --database $db_name --sql "update public.user set login_source = (select id from login_source where name = 'YunoHost LDAP' and type = 5), login_name = name, login_type = 5 where name = '${username}'"
done
}
function synchronize_users() {
ynh_print_info --message="Synchronizing forgejo users"
# User synchronization must be launched using API : no cli exists for this purpose (https://codeberg.org/forgejo/forgejo/issues/953)
curl --url https://${domain}${path}/api/v1/admin/cron/sync_external_users -X POST -H "Authorization: token $(ynh_app_setting_get --app=$app --key=forgejo_api_token)" -kfsS
} }

View file

@ -98,6 +98,13 @@ ynh_add_fail2ban_config --logpath "/var/log/$app/forgejo.log" --failregex ".*Fai
#================================================= #=================================================
ynh_script_progression --message="Adding LDAP configuration..." --weight=1 ynh_script_progression --message="Adding LDAP configuration..." --weight=1
set_forgejo_login_source set_forgejo_login_source
enable_login_source_sync
# API user creation
create_forgejo_api_user
# Yunohost user creation
synchronize_users
#================================================= #=================================================
# END OF SCRIPT # END OF SCRIPT

View file

@ -28,7 +28,7 @@ ynh_systemd_action --service_name=$app --action="stop" --log_path="systemd"
#================================================= #=================================================
ynh_script_progression --message="Ensuring downward compatibility..." --weight=1 ynh_script_progression --message="Ensuring downward compatibility..." --weight=1
# Update forgejo login source # Update forgejo login source (1.19.3-0~ynh2)
pushd "$install_dir" pushd "$install_dir"
old_login_source_id=$(ynh_exec_as $app ./forgejo admin auth list | grep "YunoHost LDAP" | grep "via BindDN" | cut -f 1) old_login_source_id=$(ynh_exec_as $app ./forgejo admin auth list | grep "YunoHost LDAP" | grep "via BindDN" | cut -f 1)
if [ ! -z $old_login_source_id ]; then if [ ! -z $old_login_source_id ]; then
@ -40,6 +40,16 @@ pushd "$install_dir"
fi fi
popd popd
# Update login source synchronization flag (1.19.3-0~ynh3)
enable_login_source_sync
if [ -z ${forgejo_api_user:-} ]; then
create_forgejo_api_user
fi
# Update users login source (1.19.3-0~ynh3)
set_users_login_source
# forgejo home directory has changed (yunohost packaging v2) # forgejo home directory has changed (yunohost packaging v2)
# .ssh directory should move from old home dir (data_dir) to new one # .ssh directory should move from old home dir (data_dir) to new one
# (/var/www/$app is the default value for home in resources.system_user) # (/var/www/$app is the default value for home in resources.system_user)
@ -48,19 +58,19 @@ if [ -d "$data_dir/.ssh" ]; then
fi fi
# If secret_key doesn't exist, create it # If secret_key doesn't exist, create it
if [ -z "$secret_key" ]; then if [ -z ${secret_key:-} ]; then
secret_key=$($install_dir/forgejo generate secret SECRET_KEY) secret_key=$($install_dir/forgejo generate secret SECRET_KEY)
ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key ynh_app_setting_set --app=$app --key=secret_key --value=$secret_key
fi fi
# If lfs_jwt_secret doesn't exist, create it # If lfs_jwt_secret doesn't exist, create it
if [ -z "$lfs_jwt_secret" ]; then if [ -z ${lfs_jwt_secret:-} ]; then
lfs_jwt_secret=$($install_dir/forgejo generate secret JWT_SECRET) lfs_jwt_secret=$($install_dir/forgejo generate secret JWT_SECRET)
ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret ynh_app_setting_set --app=$app --key=lfs_jwt_secret --value=$lfs_jwt_secret
fi fi
# If internal_token doesn't exist, create it # If internal_token doesn't exist, create it
if [ -z "$internal_token" ]; then if [ -z ${internal_token:-} ]; then
internal_token=$($install_dir/forgejo generate secret INTERNAL_TOKEN) internal_token=$($install_dir/forgejo generate secret INTERNAL_TOKEN)
ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token ynh_app_setting_set --app=$app --key=internal_token --value=$internal_token
fi fi
@ -130,6 +140,12 @@ ynh_script_progression --message="Starting a systemd service..." --weight=3
# Start a systemd service # Start a systemd service
ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/forgejo.log" --line_match="Starting new Web server: tcp:127.0.0.1:" ynh_systemd_action --service_name=$app --action="start" --log_path="/var/log/$app/forgejo.log" --line_match="Starting new Web server: tcp:127.0.0.1:"
#=================================================
# Synchronize users (backward compatibility 1.19.3-0~ynh3)
#=================================================
synchronize_users
#================================================= #=================================================
# SETUP FAIL2BAN # SETUP FAIL2BAN
#================================================= #=================================================