implement ynh_add_secure_repos__3

2019-04-03 02:43:43 +02:00 · 2019-04-03 02:43:43 +02:00 · 21637addcd
parent c5a33c93fc
commit 21637addcd
6 changed files with 332 additions and 35 deletions
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -5,7 +5,7 @@
 #=================================================

 # dependencies used by the app
-pkg_dependencies="postgresql postgresql-contrib openssl g++ ffmpeg redis-server redis-tools mailutils yarn apt-transport-https"
+pkg_dependencies="postgresql postgresql-contrib openssl g++ redis-server redis-tools mailutils apt-transport-https"

 #=================================================
 # PERSONAL HELPERS
--- a/scripts/install
+++ b/scripts/install
@ -8,6 +8,7 @@

 source _common.sh
 source /usr/share/yunohost/helpers
+source ynh_add_secure_repos__3

 #=================================================
 # MANAGE SCRIPT FAILURE
@ -67,21 +68,21 @@ ynh_app_setting_set "$app" port "$port"
 #=================================================
 ynh_print_info "Installing dependencies..."

-# install nodejs
+# Install nodejs
 ynh_install_nodejs 8

-# Add backports for Debian Jessie (required to install ffmpeg)
+# Install dependencies
+ynh_install_app_dependencies $pkg_dependencies
+
+# Install ffmpeg from backports for Debian Jessie and from main for others
 if [ "$(lsb_release --codename --short)" == "jessie" ]; then
-	echo "deb http://httpredir.debian.org/debian jessie-backports main" | tee /etc/apt/sources.list.d/jessie-backports.list
+	ynh_install_extra_app_dependencies --repo="deb http://httpredir.debian.org/debian jessie-backports main" --package="ffmpeg"
+else
+	ynh_add_app_dependencies --package="ffmpeg"
 fi

-# Add yarn repo for Debian
-curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
-echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
-ynh_package_update
-
-# install dependencies
-ynh_install_app_dependencies $pkg_dependencies
+# Install Yarn
+ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg"

 #=================================================
 # CREATE A POSTGRESQL DATABASE
--- a/scripts/remove
+++ b/scripts/remove
@ -59,10 +59,6 @@ ynh_print_info "Removing dependencies"
 ynh_remove_app_dependencies
 ynh_remove_nodejs

-# Delete backport and yarn from source.list 
-ynh_secure_remove /etc/apt/sources.list.d/jessie-backports.list
-ynh_secure_remove /etc/apt/sources.list.d/yarn.list
-
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -13,6 +13,7 @@ fi

 source _common.sh
 source /usr/share/yunohost/helpers
+source ynh_add_secure_repos__3

 #=================================================
 # MANAGE SCRIPT FAILURE
@ -85,21 +86,21 @@ chown -R "$app":"$app" "/home/yunohost.app/${app}/storage"
 #=================================================
 ynh_print_info "Reinstalling dependencies..."

-# install nodejs
+# Install nodejs
 ynh_install_nodejs 8

-# add backports for Debian Jessie (required to install ffmpeg)
+# Install dependencies
+ynh_install_app_dependencies $pkg_dependencies
+
+# Install ffmpeg from backports for Debian Jessie and from main for others
 if [ "$(lsb_release --codename --short)" == "jessie" ]; then
-	echo "deb http://httpredir.debian.org/debian jessie-backports main" | tee /etc/apt/sources.list.d/jessie-backports.list
+	ynh_install_extra_app_dependencies --repo="deb http://httpredir.debian.org/debian jessie-backports main" --package="ffmpeg"
+else
+	ynh_add_app_dependencies --package="ffmpeg"
 fi

-# add yarn repo for Debian
-curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
-echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
-ynh_package_update
-
-# install postgresql, ffmpeg, redis
-ynh_install_app_dependencies $pkg_dependencies
+# Install Yarn
+ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg"

 #=================================================
 # RESTORE THE POSTGRESQL DATABASE
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -8,6 +8,7 @@

 source _common.sh
 source /usr/share/yunohost/helpers
+source ynh_add_secure_repos__3

 #=================================================
 # LOAD SETTINGS
@ -39,6 +40,10 @@ elif [ "$is_public" = "No" ]; then
 	is_public=0
 fi

+# Remove repository
+ynh_secure_remove /etc/apt/sources.list.d/jessie-backports.list
+ynh_secure_remove /etc/apt/sources.list.d/yarn.list
+
 #=================================================
 # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP
 #=================================================
@ -140,21 +145,21 @@ systemctl reload nginx
 #=================================================
 ynh_print_info "Upgrading dependencies..."

-# install nodejs
+# Install nodejs
 ynh_install_nodejs 8

-# add backports for Debian Jessie (required to install ffmpeg)
+# Install dependencies
+ynh_install_app_dependencies $pkg_dependencies
+
+# Install ffmpeg from backports for Debian Jessie and from main for others
 if [ "$(lsb_release --codename --short)" == "jessie" ]; then
-	echo "deb http://httpredir.debian.org/debian jessie-backports main" | tee /etc/apt/sources.list.d/jessie-backports.list
+	ynh_install_extra_app_dependencies --repo="deb http://httpredir.debian.org/debian jessie-backports main" --package="ffmpeg"
+else
+	ynh_add_app_dependencies --package="ffmpeg"
 fi

-# add yarn repo for Debian
-curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
-echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
-ynh_package_update
-
-# install postgresql, ffmpeg, redis
-ynh_install_app_dependencies $pkg_dependencies
+# Install Yarn
+ynh_install_extra_app_dependencies --repo="deb https://dl.yarnpkg.com/debian/ stable main" --package="yarn" --key="https://dl.yarnpkg.com/debian/pubkey.gpg"

 #=================================================
 # CREATE DEDICATED USER
--- a/scripts/ynh_add_secure_repos__3
+++ b/scripts/ynh_add_secure_repos__3
@ -0,0 +1,294 @@
+#!/bin/bash
+
+# Pin a repository.
+#
+# usage: ynh_pin_repo --package=packages --pin=pin_filter [--priority=priority_value] [--name=name] [--append]
+# | arg: -p, --package - Packages concerned by the pin. Or all, *.
+# | arg: -i, --pin - Filter for the pin.
+# | arg: -p, --priority - Priority for the pin
+# | arg: -n, --name - Name for the files for this repo, $app as default value.
+# | arg: -a, --append - Do not overwrite existing files.
+#
+# See https://manpages.debian.org/stretch/apt/apt_preferences.5.en.html for information about pinning.
+#
+ynh_pin_repo () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=pirna
+	declare -Ar args_array=( [p]=package= [i]=pin= [r]=priority= [n]=name= [a]=append )
+	local package
+	local pin
+	local priority
+	local name
+	local append
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	package="${package:-*}"
+	priority=${priority:-50}
+	name="${name:-$app}"
+	append=${append:-0}
+
+	if [ $append -eq 1 ]
+	then
+		append="tee -a"
+	else
+		append="tee"
+	fi
+
+	mkdir -p "/etc/apt/preferences.d"
+	echo "Package: $package
+Pin: $pin
+Pin-Priority: $priority" \
+	| $append "/etc/apt/preferences.d/$name"
+}
+
+# Add a repository.
+#
+# usage: ynh_add_repo --uri=uri --suite=suite --component=component [--name=name] [--append]
+# | arg: -u, --uri - Uri of the repository.
+# | arg: -s, --suite - Suite of the repository.
+# | arg: -c, --component - Component of the repository.
+# | arg: -n, --name - Name for the files for this repo, $app as default value.
+# | arg: -a, --append - Do not overwrite existing files.
+#
+# Example for a repo like deb http://forge.yunohost.org/debian/ stretch stable
+#                             uri                               suite   component
+# ynh_add_repo --uri=http://forge.yunohost.org/debian/ --suite=stretch --component=stable
+#
+ynh_add_repo () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=uscna
+	declare -Ar args_array=( [u]=uri= [s]=suite= [c]=component= [n]=name= [a]=append )
+	local uri
+	local suite
+	local component
+	local name
+	local append
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	name="${name:-$app}"
+	append=${append:-0}
+
+	if [ $append -eq 1 ]
+	then
+		append="tee -a"
+	else
+		append="tee"
+	fi
+
+	mkdir -p "/etc/apt/sources.list.d"
+	# Add the new repo in sources.list.d
+	echo "deb $uri $suite $component" \
+		| $append "/etc/apt/sources.list.d/$name.list"
+}
+
+# Add an extra repository correctly, pin it and get the key.
+#
+# usage: ynh_install_extra_repo --repo="repo" [--key=key_url] [--priority=priority_value] [--name=name] [--append]
+# | arg: -r, --repo - Complete url of the extra repository.
+# | arg: -k, --key - url to get the public key.
+# | arg: -p, --priority - Priority for the pin
+# | arg: -n, --name - Name for the files for this repo, $app as default value.
+# | arg: -a, --append - Do not overwrite existing files.
+ynh_install_extra_repo () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=rkpna
+	declare -Ar args_array=( [r]=repo= [k]=key= [p]=priority= [n]=name= [a]=append )
+	local repo
+	local key
+	local priority
+	local name
+	local append
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	name="${name:-$app}"
+	append=${append:-0}
+	key=${key:-0}
+	priority=${priority:-}
+
+	if [ $append -eq 1 ]
+	then
+		append="--append"
+		wget_append="tee -a"
+	else
+		append=""
+		wget_append="tee"
+	fi
+
+	# Split the repository into uri, suite and components.
+	# Remove "deb " at the beginning of the repo.
+	repo="${repo#deb }"
+
+	# Get the uri
+	local uri="$(echo "$repo" | awk '{ print $1 }')"
+
+	# Get the suite
+	local suite="$(echo "$repo" | awk '{ print $2 }')"
+
+	# Get the components
+	local component="${repo##$uri $suite }"
+
+	# Add the repository into sources.list.d
+	ynh_add_repo --uri="$uri" --suite="$suite" --component="$component" --name="$name" $append
+
+	# Pin the new repo with the default priority, so it won't be used for upgrades.
+	# Build $pin from the uri without http and any sub path
+	local pin="${uri#*://}"
+	pin="${pin%%/*}"
+	# Set a priority only if asked
+	if [ -n "$priority" ]
+	then
+		priority="--priority=$priority"
+	fi
+	ynh_pin_repo --package="*" --pin="origin \"$pin\"" $priority --name="$name" $append
+
+	# Get the public key for the repo
+	if [ -n "$key" ]
+	then
+		mkdir -p "/etc/apt/trusted.gpg.d"
+		wget -q "$key" -O - | gpg --dearmor | $wget_append /etc/apt/trusted.gpg.d/$name.gpg > /dev/null
+	fi
+
+	# Update the list of package with the new repo
+	ynh_package_update
+}
+
+# Remove an extra repository and the assiociated configuration.
+#
+# usage: ynh_remove_extra_repo [--name=name]
+# | arg: -n, --name - Name for the files for this repo, $app as default value.
+ynh_remove_extra_repo () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=n
+	declare -Ar args_array=( [n]=name= )
+	local name
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	name="${name:-$app}"
+
+	ynh_secure_remove "/etc/apt/sources.list.d/$name.list"
+	ynh_secure_remove "/etc/apt/preferences.d/$name"
+	ynh_secure_remove "/etc/apt/trusted.gpg.d/$name.gpg"
+	ynh_secure_remove "/etc/apt/trusted.gpg.d/$name.asc"
+
+	# Update the list of package to exclude the old repo
+	ynh_package_update
+}
+
+# Install packages from an extra repository properly.
+#
+# usage: ynh_install_extra_app_dependencies --repo="repo" --package="dep1 dep2" [--key=key_url] [--name=name]
+# | arg: -r, --repo - Complete url of the extra repository.
+# | arg: -p, --package - The packages to install from this extra repository
+# | arg: -k, --key - url to get the public key.
+# | arg: -n, --name - Name for the files for this repo, $app as default value.
+ynh_install_extra_app_dependencies () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=rpkn
+	declare -Ar args_array=( [r]=repo= [p]=package= [k]=key= [n]=name= )
+	local repo
+	local package
+	local key
+	local name
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	name="${name:-$app}"
+	key=${key:-0}
+
+	# Set a key only if asked
+	if [ -n "$key" ]
+	then
+		key="--key=$key"
+	fi
+	# Add an extra repository for those packages
+	ynh_install_extra_repo --repo="$repo" $key --priority=995 --name=$name
+
+	# Install requested dependencies from this extra repository.
+	ynh_add_app_dependencies --package="$package"
+
+	# Remove this extra repository after packages are installed
+	ynh_remove_extra_repo --name=$app
+}
+
+#=================================================
+
+# patched version of ynh_install_app_dependencies to be used with ynh_add_app_dependencies
+
+# Define and install dependencies with a equivs control file
+# This helper can/should only be called once per app
+#
+# usage: ynh_install_app_dependencies dep [dep [...]]
+# | arg: dep - the package name to install in dependence
+#   You can give a choice between some package with this syntax : "dep1|dep2"
+#   Example : ynh_install_app_dependencies dep1 dep2 "dep3|dep4|dep5"
+#   This mean in the dependence tree : dep1 & dep2 & (dep3 | dep4 | dep5)
+#
+# Requires YunoHost version 2.6.4 or higher.
+ynh_install_app_dependencies () {
+    local dependencies=$@
+    dependencies="$(echo "$dependencies" | sed 's/\([^\<=\>]\)\ \([^(]\)/\1, \2/g')"
+    dependencies=${dependencies//|/ | }
+    local manifest_path="../manifest.json"
+    if [ ! -e "$manifest_path" ]; then
+    	manifest_path="../settings/manifest.json"	# Into the restore script, the manifest is not at the same place
+    fi
+
+    local version=$(grep '\"version\": ' "$manifest_path" | cut -d '"' -f 4)	# Retrieve the version number in the manifest file.
+    if [ ${#version} -eq 0 ]; then
+        version="1.0"
+    fi
+    local dep_app=${app//_/-}	# Replace all '_' by '-'
+
+    # Handle specific versions
+    if [[ "$dependencies" =~ [\<=\>] ]]
+    then
+        # Replace version specifications by relationships syntax
+        # https://www.debian.org/doc/debian-policy/ch-relationships.html
+        # Sed clarification
+        # [^(\<=\>] ignore if it begins by ( or < = >. To not apply twice.
+        # [\<=\>] matches < = or >
+        # \+ matches one or more occurence of the previous characters, for >= or >>.
+        # [^,]\+ matches all characters except ','
+        # Ex: package>=1.0 will be replaced by package (>= 1.0)
+        dependencies="$(echo "$dependencies" | sed 's/\([^(\<=\>]\)\([\<=\>]\+\)\([^,]\+\)/\1 (\2 \3)/g')"
+    fi
+
+    cat > /tmp/${dep_app}-ynh-deps.control << EOF	# Make a control file for equivs-build
+Section: misc
+Priority: optional
+Package: ${dep_app}-ynh-deps
+Version: ${version}
+Depends: ${dependencies}
+Architecture: all
+Description: Fake package for $app (YunoHost app) dependencies
+ This meta-package is only responsible of installing its dependencies.
+EOF
+    ynh_package_install_from_equivs /tmp/${dep_app}-ynh-deps.control \
+        || ynh_die --message="Unable to install dependencies"	# Install the fake package and its dependencies
+    rm /tmp/${dep_app}-ynh-deps.control
+    ynh_app_setting_set --app=$app --key=apt_dependencies --value="$dependencies"
+}
+
+ynh_add_app_dependencies () {
+	# Declare an array to define the options of this helper.
+	local legacy_args=pr
+	declare -Ar args_array=( [p]=package= [r]=replace)
+	local package
+	local replace
+	# Manage arguments with getopts
+	ynh_handle_getopts_args "$@"
+	replace=${replace:-0}
+
+	local current_dependencies=""
+	if [ $replace -eq 0 ]
+	then
+		local dep_app=${app//_/-}	# Replace all '_' by '-'
+		if ynh_package_is_installed --package="${dep_app}-ynh-deps"
+		then
+			current_dependencies="$(dpkg-query --show --showformat='${Depends}' ${dep_app}-ynh-deps) "
+		fi
+
+		current_dependencies=${current_dependencies// | /|}
+	fi
+
+	ynh_install_app_dependencies "${current_dependencies}${package}"
+}