Update to 1.1.4

Preserve SECRET_KEY across restarts

Closes #2

See merge request !5

CHANGELOG

@@ -6,3 +6,20 @@
 
 [0.1.2]
 * Updated description
+
+[0.1.3]
+* Updated to version 1.1.2
+
+[1.0.0]
+* Update to version 1.1.3
+
+[1.0.1]
+* Update Git to v2.7.4-0ubuntu1.2
+* Fixes critical security issue that allows remote command execution in git
+* https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000117.html
+
+[1.0.2]
+* Preserve SECRET_KEY across updates and restarts
+
+[1.0.3]
+* Update to version 1.1.4

CloudronManifest.json

@@ -4,7 +4,7 @@
   "author": "Gitea developers",
   "description": "file://DESCRIPTION.md",
   "tagline": "A painless self-hosted Git Service",
-  "version": "0.1.2",
+  "version": "1.0.3",
   "healthCheckPath": "/healthcheck",
   "httpPort": 3000,
   "addons": {

DESCRIPTION.md

@@ -1,6 +1,6 @@
 Gitea is a painless self-hosted Git service. It is similar to GitHub, Bitbucket or Gitlab. The initial development have been done on Gogs but we have forked it and named it Gitea. If you want to read more about the reasons why we have done that please read [this](https://blog.gitea.io/2016/12/welcome-to-gitea/) blog post.
 
-This app packages Gitea <upstream>1.1.1</upstream>
+This app packages Gitea <upstream>1.1.4</upstream>
 
 ### Purpose
 

Dockerfile

@@ -1,9 +1,9 @@
 FROM cloudron/base:0.10.0
 
-ENV VERSION 1.1.1
+ENV VERSION 1.1.4
 
 RUN apt-get update && \
-    apt-get install -y openssh-server && \
+    apt-get install -y openssh-server git && \
     rm -rf /etc/ssh_host_* && \
     rm -r /var/cache/apt /var/lib/apt/lists
 

POSTINSTALL.md

@@ -6,7 +6,7 @@ If you want to disable Cloudron SSO, do the following:
 * Admin Panel -> Authentication -> 'cloudron' -> Uncheck 'This authentication is activated'
 * Admin Panel -> Users -> Change Authentication Source to 'Local' and also give a password
 
-You can create a `/app/data/app.ini` with any custom configuration. See the 
+You can edit `/app/data/app.ini` and add any custom configuration. See the 
 [configuration cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet)
 for more information.
 

app.ini.template

@@ -2,7 +2,9 @@ APP_NAME = Gitea
 RUN_USER = git
 RUN_MODE = prod
 
+
 [database]
+; those settings are protected and can't be modified
 DB_TYPE = mysql
 HOST = ##MYSQL_HOST:##MYSQL_PORT
 NAME = ##MYSQL_DATABASE
@@ -11,7 +13,9 @@ PASSWD = ##MYSQL_PASSWORD
 SSL_MODE = disable
 PATH =
 
+
 [server]
+; those settings are protected and can't be modified
 PROTOCOL = http
 DOMAIN = ##DOMAIN
 ROOT_URL = https://%(DOMAIN)s/
@@ -20,55 +24,74 @@ HTTP_PORT = 3000
 DISABLE_SSH = ##DISABLE_SSH
 SSH_PORT = ##SSH_PORT
 APP_DATA_PATH = /app/data/appdata
+
 ; Landing page for non-logged users, can be "home" or "explore"
 LANDING_PAGE = explore
 
+
 [repository]
+; this setting is protected and can't be modified
 ROOT = /app/data/repository
+
 SCRIPT_TYPE = bash
 
+
 [repository.upload]
 ENABLED = true
+
+; this setting is protected and can't be modified
 TEMP_PATH = /run/gitea/tmp/uploads
 
+
 [release.attachment]
 ENABLED = true
 ; APP_DATA_PATH/attachments
 PATH =
 
+
 [mailer]
 ENABLED = true
+
+; those settings are protected and can't be modified
 HOST = ##MAIL_SERVER:##MAIL_PORT
 USER = ##MAIL_SMTP_USERNAME
 PASSWD = ##MAIL_SMTP_PASSWORD
 FROM = ##MAIL_FROM
 SKIP_VERIFY = true
 
+
 [security]
+; those settings are protected and can't be modified
 INSTALL_LOCK = true
 SECRET_KEY = ##SECRET_KEY
 
+
 [service]
 DISABLE_REGISTRATION = false
 SHOW_REGISTRATION_BUTTON = false
 ENABLE_NOTIFY_MAIL = true
 
+
 [log]
-; Either "console", "file", "conn", "smtp" or "database", default is "console"
+; those settings are protected and can't be modified
 MODE = console
 ; used for xorm.log
 ROOT_PATH = /run/gitea
 
+
 [picture]
 ; APP_DATA_PATH/avatars
 AVATAR_UPLOAD_PATH =
 GRAVATAR_SOURCE = gravatar
 DISABLE_GRAVATAR = false
 
+
 [attachment]
 ENABLE = true
 ; APP_DATA_PATH/attachments
 PATH =
 
+
 [indexer]
+; this setting is protected and can't be modified
 ISSUE_INDEXER_PATH = /app/data/appdata/indexers/issues.bleve

start.sh

@@ -55,24 +55,48 @@ sed -e "s/^Port .*/Port ${SSH_PORT}/" \
     -e "s,^HostKey /etc/ssh/,HostKey /app/data/sshd/," \
     /etc/ssh/sshd_config > /run/gitea/sshd_config
 
-sed -e "s/##DOMAIN/${APP_DOMAIN}/g" \
-    -e "s/##SSH_PORT/${SSH_PORT}/g" \
-    -e "s/##DISABLE_SSH/${disable_ssh}/g" \
-    -e "s/##MYSQL_HOST/${MYSQL_HOST}/g" \
-    -e "s/##MYSQL_PORT/${MYSQL_PORT}/g" \
-    -e "s/##MYSQL_USERNAME/${MYSQL_USERNAME}/g" \
-    -e "s/##MYSQL_PASSWORD/${MYSQL_PASSWORD}/g" \
-    -e "s/##MYSQL_DATABASE/${MYSQL_DATABASE}/g" \
-    -e "s/##MAIL_SERVER/${MAIL_SMTP_SERVER}/g" \
-    -e "s/##MAIL_PORT/${MAIL_SMTP_PORT}/g" \
-    -e "s/##MAIL_FROM/${MAIL_FROM}/g" \
-    -e "s/##MAIL_SMTP_USERNAME/${MAIL_SMTP_USERNAME}/g" \
-    -e "s/##MAIL_SMTP_PASSWORD/${MAIL_SMTP_PASSWORD}/g" \
-    -e "s/##SECRET_KEY/$(pwgen -1 -s)/g" \
-    /home/git/app.ini.template > "/run/gitea/app.ini"
+cp /home/git/app.ini.template "/run/gitea/app.ini"
+
+# create default user config file
+if ! [ -f /app/data/app.ini ]; then
+    cp /home/git/app.ini.template /app/data/app.ini
+fi
+
+if [ "$(crudini --get /app/data/app.ini security SECRET_KEY)" == "##SECRET_KEY" ]; then
+    echo "Generating new SECRET_KEY"
+    crudini --set "/app/data/app.ini" security SECRET_KEY $(pwgen -1 -s)
+fi
+
+# merge user config file
+crudini --merge "/run/gitea/app.ini" < "/app/data/app.ini"
+
+# override important values
+crudini --set "/run/gitea/app.ini" database DB_TYPE mysql
+crudini --set "/run/gitea/app.ini" database HOST "${MYSQL_HOST}:${MYSQL_PORT}"
+crudini --set "/run/gitea/app.ini" database NAME "${MYSQL_DATABASE}"
+crudini --set "/run/gitea/app.ini" database USER "${MYSQL_USERNAME}"
+crudini --set "/run/gitea/app.ini" database PASSWD "${MYSQL_PASSWORD}"
+crudini --set "/run/gitea/app.ini" database SSL_MODE "disable"
+crudini --set "/run/gitea/app.ini" server PROTOCOL "http"
+crudini --set "/run/gitea/app.ini" server DOMAIN "${APP_DOMAIN}"
+crudini --set "/run/gitea/app.ini" server ROOT_URL "https://%(DOMAIN)s/"
+crudini --set "/run/gitea/app.ini" server HTTP_ADDR ""
+crudini --set "/run/gitea/app.ini" server HTTP_PORT "3000"
+crudini --set "/run/gitea/app.ini" server DISABLE_SSH "${disable_ssh}"
+crudini --set "/run/gitea/app.ini" server SSH_PORT "${SSH_PORT}"
+crudini --set "/run/gitea/app.ini" server APP_DATA_PATH "/app/data/appdata"
+crudini --set "/run/gitea/app.ini" repository ROOT "/app/data/repository"
+crudini --set "/run/gitea/app.ini" repository.upload TEMP_PATH "/run/gitea/tmp/uploads"
+crudini --set "/run/gitea/app.ini" mailer HOST "${MAIL_SMTP_SERVER}:${MAIL_SMTP_PORT}"
+crudini --set "/run/gitea/app.ini" mailer USER "${MAIL_SMTP_USERNAME}"
+crudini --set "/run/gitea/app.ini" mailer PASSWD "${MAIL_SMTP_PASSWORD}"
+crudini --set "/run/gitea/app.ini" mailer FROM "${MAIL_FROM}"
+crudini --set "/run/gitea/app.ini" mailer SKIP_VERIFY "true"
+crudini --set "/run/gitea/app.ini" security INSTALL_LOCK "true"
+crudini --set "/run/gitea/app.ini" log MODE "console"
+crudini --set "/run/gitea/app.ini" log ROOT_PATH "/run/gitea"
+crudini --set "/run/gitea/app.ini" indexer ISSUE_INDEXER_PATH "/app/data/appdata/indexers/issues.bleve"
 
-# merge any user config file
-[[ -f /app/data/app.ini ]] && cat "/app/data/app.ini" >> "/run/gitea/app.ini"
 
 mkdir -p /app/data/repository /app/data/ssh
 

test/test.js

@@ -63,6 +63,14 @@ describe('Application life cycle test', function () {
         }, TIMEOUT).then(function () { done(); });
     }
 
+    function getAppInfo() {
+        var inspect = JSON.parse(execSync('cloudron inspect'));
+
+        app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
+
+        expect(app).to.be.an('object');
+    }
+
     function setAvatar(done) {
         browser.get('https://' + app.fqdn + '/user/settings/avatar').then(function () {
             return browser.findElement(by.xpath('//input[@type="file" and @name="avatar"]')).sendKeys(path.resolve(__dirname, '../logo.png'));
@@ -160,7 +168,7 @@ describe('Application life cycle test', function () {
         });
     }
 
-    function checkGitClone(done) {
+    function cloneRepo(done) {
         rimraf.sync(repodir);
         var env = Object.create(process.env);
         env.GIT_SSH = __dirname + '/git_ssh_wrapper.sh';
@@ -168,6 +176,19 @@ describe('Application life cycle test', function () {
         done();
     }
 
+    function pushFile(done) {
+        var env = Object.create(process.env);
+        env.GIT_SSH = __dirname + '/git_ssh_wrapper.sh';
+        execSync('touch newfile && git add newfile && git commit -a -mx && git push ssh://git@' + app.fqdn + ':29418/' + username + '/' + reponame + ' master',
+                 { env: env, cwd: repodir });
+        rimraf.sync('/tmp/testrepo');
+        done();
+    }
+
+    function fileExists() {
+        expect(fs.existsSync(repodir + '/newfile')).to.be(true);
+    }
+
     xit('build app', function () {
         execSync('cloudron build', { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
     });
@@ -199,14 +220,7 @@ describe('Application life cycle test', function () {
         execSync('cloudron install --new --wait --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
     });
 
-    it('can get app information', function () {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
-
-        app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
-
-        expect(app).to.be.an('object');
-    });
-
+    it('can get app information', getAppInfo);
     it('can get the main page', function (done) {
         superagent.get('https://' + app.fqdn).end(function (error, result) {
             expect(error).to.be(null);
@@ -226,17 +240,9 @@ describe('Application life cycle test', function () {
 
     it('displays correct clone url', checkCloneUrl);
 
-    it('can clone the url', checkGitClone);
-
-    it('can add and push a file', function (done) {
-        var env = Object.create(process.env);
-        env.GIT_SSH = __dirname + '/git_ssh_wrapper.sh';
-        execSync('touch newfile && git add newfile && git commit -a -mx && git push ssh://git@' + app.fqdn + ':29418/' + username + '/' + reponame + ' master',
-                 { env: env, cwd: repodir });
-        rimraf.sync('/tmp/testrepo');
-        done();
-    });
+    it('can clone the url', cloneRepo);
 
+    it('can add and push a file', pushFile);
     it('can edit file', editFile);
 
     it('can restart app', function (done) {
@@ -245,8 +251,8 @@ describe('Application life cycle test', function () {
     });
 
     it('can clone the url', checkCloneUrl);
-    it('can clone the url', checkGitClone);
-    it('file exists in repo', function () { expect(fs.existsSync(repodir + '/newfile')).to.be(true); });
+    it('can clone the url', cloneRepo);
+    it('file exists in repo', fileExists);
 
     it('backup app', function () {
         execSync('cloudron backup create --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
@@ -257,12 +263,12 @@ describe('Application life cycle test', function () {
     });
 
     it('can get avatar', checkAvatar);
-    it('can clone the url', checkGitClone);
+    it('can clone the url', cloneRepo);
     it('file exists in repo', function () { expect(fs.existsSync(repodir + '/newfile')).to.be(true); });
 
     it('move to different location', function () {
         browser.manage().deleteAllCookies();
-        execSync('cloudron configure --location ' + LOCATION + '2', { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+        execSync('cloudron configure --wait --location ' + LOCATION + '2', { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
         var inspect = JSON.parse(execSync('cloudron inspect'));
         app = inspect.apps.filter(function (a) { return a.location === LOCATION + '2'; })[0];
         expect(app).to.be.an('object');
@@ -271,7 +277,7 @@ describe('Application life cycle test', function () {
     it('can login', login);
     it('can get avatar', checkAvatar);
     it('displays correct clone url', checkCloneUrl);
-    it('can clone the url', checkGitClone);
+    it('can clone the url', cloneRepo);
     it('file exists in repo', function () { expect(fs.existsSync(repodir + '/newfile')).to.be(true); });
 
     it('uninstall app', function () {
@@ -292,4 +298,30 @@ describe('Application life cycle test', function () {
             done();
         });
     });
+
+    // test update
+    it('can install app', function () {
+        execSync('cloudron install --new --wait --appstore-id ' + app.manifest.id + ' --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    });
+
+    it('can get app information', getAppInfo);
+    it('can login', login);
+    it('can set avatar', setAvatar);
+    it('can get avatar', checkAvatar);
+    it('can add public key', addPublicKey);
+    it('can create repo', createRepo);
+    it('can clone the url', cloneRepo);
+    it('can add and push a file', pushFile);
+
+    it('can update', function () {
+        execSync('cloudron install --wait --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    });
+
+    it('can get avatar', checkAvatar);
+    it('can clone the url', cloneRepo);
+    it('file exists in cloned repo', fileExists);
+
+    it('uninstall app', function () {
+        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    });
 });