From 9a24b4a0dccc299e17279e115a3e460092cab0d3 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Sun, 3 Jan 2021 23:29:27 +0100
Subject: fix auditor postinst

---
 debian/auditor-conf/apache.conf  |  4 ++
 debian/auditor-conf/nginx.conf   |  7 +++
 debian/changelog                 |  6 +++
 debian/conf/apache.conf          |  4 --
 debian/conf/nginx.conf           |  7 ---
 debian/control                   | 16 ++++++-
 debian/etc/taler-auditor.conf    | 14 ++++++
 debian/exchange-conf/apache.conf |  4 ++
 debian/exchange-conf/nginx.conf  |  7 +++
 debian/rules                     |  1 +
 debian/taler-auditor.install     |  8 ++++
 debian/taler-auditor.postinst    | 95 ++++++++++++++++++++++++++++++++++++++++
 debian/taler-auditor.postrm      | 58 ++++++++++++++++++++++++
 debian/taler-auditor.templates   | 16 +++++++
 debian/taler-exchange.install    |  2 +-
 debian/taler-exchange.postinst   | 20 ---------
 16 files changed, 236 insertions(+), 33 deletions(-)
 create mode 100644 debian/auditor-conf/apache.conf
 create mode 100644 debian/auditor-conf/nginx.conf
 delete mode 100644 debian/conf/apache.conf
 delete mode 100644 debian/conf/nginx.conf
 create mode 100644 debian/etc/taler-auditor.conf
 create mode 100644 debian/exchange-conf/apache.conf
 create mode 100644 debian/exchange-conf/nginx.conf
 create mode 100644 debian/taler-auditor.install
 create mode 100644 debian/taler-auditor.postinst
 create mode 100644 debian/taler-auditor.postrm
 create mode 100644 debian/taler-auditor.templates

diff --git a/debian/auditor-conf/apache.conf b/debian/auditor-conf/apache.conf
new file mode 100644
index 000000000..f68c59558
--- /dev/null
+++ b/debian/auditor-conf/apache.conf
@@ -0,0 +1,4 @@
+<Location "/taler-auditor/">
+ProxyPass "unix:/var/lib/taler-auditor/auditor.sock|http://example.com/"
+RequestHeader add "X-Forwarded-Proto" "https"
+</Location>
diff --git a/debian/auditor-conf/nginx.conf b/debian/auditor-conf/nginx.conf
new file mode 100644
index 000000000..3fdffdad3
--- /dev/null
+++ b/debian/auditor-conf/nginx.conf
@@ -0,0 +1,7 @@
+location /taler-auditor/ {
+         proxy_pass http://unix:/var/lib/taler-auditor/auditor.sock;
+         proxy_redirect off;
+         proxy_set_header Host $host;
+         proxy_set_header X-Forwarded-Host "example.com";
+         proxy_set_header X-Forwarded-Proto "https";
+}
\ No newline at end of file
diff --git a/debian/changelog b/debian/changelog
index e20cf9d8a..646ef54ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+taler-exchange (0.9.0-3) unstable; urgency=medium
+
+  * Fix taler-exchange.postrm crash (prevented uninstall).
+  * Split out taler-auditor package.
+  * Setup user and systemd service for taler-auditor-httpd.
+
 taler-exchange (0.9.0-2) unstable; urgency=medium
 
   * Modify setup to not touch database (too complex anyway).
diff --git a/debian/conf/apache.conf b/debian/conf/apache.conf
deleted file mode 100644
index 3cfbf9edb..000000000
--- a/debian/conf/apache.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-<Location "/taler-exchange/">
-ProxyPass "unix:/var/lib/taler-exchange/exchange.sock|http://example.com/"
-RequestHeader add "X-Forwarded-Proto" "https"
-</Location>
diff --git a/debian/conf/nginx.conf b/debian/conf/nginx.conf
deleted file mode 100644
index 2921c9998..000000000
--- a/debian/conf/nginx.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-location /taler-exchange/ {
-         proxy_pass http://unix:/var/lib/taler-exchange/exchange.sock;
-         proxy_redirect off;
-         proxy_set_header Host $host;
-         proxy_set_header X-Forwarded-Host "example.com";
-         proxy_set_header X-Forwarded-Proto "https";
-}
\ No newline at end of file
diff --git a/debian/control b/debian/control
index 909c4dbaa..a1f2c428b 100644
--- a/debian/control
+++ b/debian/control
@@ -55,11 +55,25 @@ Depends:
  lsb-base,
  netbase,
  dbconfig-pgsql | dbconfig-no-thanks,
- python3-jinja2,
  ${misc:Depends},
  ${shlibs:Depends}
 Description: GNU's payment system operator.
 
+Package: taler-auditor
+Architecture: any
+Pre-Depends:
+ ${misc:Pre-Depends}
+Depends:
+ libtalerexchange (= ${binary:Version}),
+ adduser,
+ lsb-base,
+ netbase,
+ dbconfig-pgsql | dbconfig-no-thanks,
+ python3-jinja2,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: GNU's payment system auditor.
+
 Package: libtalerexchange-dev
 Section: libdevel
 Architecture: any
diff --git a/debian/etc/taler-auditor.conf b/debian/etc/taler-auditor.conf
new file mode 100644
index 000000000..50971b2ef
--- /dev/null
+++ b/debian/etc/taler-auditor.conf
@@ -0,0 +1,14 @@
+[PATHS]
+
+# Move runtime data "tmp" directory to /var/lib/taler-auditor/
+# to possibly provide additional protection from unwarranted access.
+TALER_RUNTIME_DIR = /var/lib/taler-auditor/tmp/
+
+[auditor]
+# Debian package is configured to use a reverse proxy with a UNIX
+# domain socket. See nginx/apache configuration files.
+SERVE = UNIX
+UNIXPATH = /var/lib/taler-auditor/auditor.sock
+
+# Only supported database is Postgres right now.
+DATABASE = postgres
diff --git a/debian/exchange-conf/apache.conf b/debian/exchange-conf/apache.conf
new file mode 100644
index 000000000..3cfbf9edb
--- /dev/null
+++ b/debian/exchange-conf/apache.conf
@@ -0,0 +1,4 @@
+<Location "/taler-exchange/">
+ProxyPass "unix:/var/lib/taler-exchange/exchange.sock|http://example.com/"
+RequestHeader add "X-Forwarded-Proto" "https"
+</Location>
diff --git a/debian/exchange-conf/nginx.conf b/debian/exchange-conf/nginx.conf
new file mode 100644
index 000000000..2921c9998
--- /dev/null
+++ b/debian/exchange-conf/nginx.conf
@@ -0,0 +1,7 @@
+location /taler-exchange/ {
+         proxy_pass http://unix:/var/lib/taler-exchange/exchange.sock;
+         proxy_redirect off;
+         proxy_set_header Host $host;
+         proxy_set_header X-Forwarded-Host "example.com";
+         proxy_set_header X-Forwarded-Proto "https";
+}
\ No newline at end of file
diff --git a/debian/rules b/debian/rules
index 5c32fe88b..3af287771 100755
--- a/debian/rules
+++ b/debian/rules
@@ -34,3 +34,4 @@ override_dh_auto_clean:
 override_dh_install:
 	dh_install
 	cd debian/libtalerexchange; find . -type f -exec rm -f ../taler-exchange/{} \;
+	cd debian/taler-auditor; find . -type f -exec rm -f ../taler-exchange/{} \;
diff --git a/debian/taler-auditor.install b/debian/taler-auditor.install
new file mode 100644
index 000000000..4511b2574
--- /dev/null
+++ b/debian/taler-auditor.install
@@ -0,0 +1,8 @@
+usr/bin/taler-auditor
+usr/bin/taler-auditor-dbinit
+usr/bin/taler-auditor-exchange
+usr/bin/taler-auditor-httpd
+usr/bin/taler-auditor-offline
+usr/bin/taler-helper-auditor-*
+debian/etc/taler-auditor.conf etc/
+debian/auditor-conf/* etc/taler-auditor/
diff --git a/debian/taler-auditor.postinst b/debian/taler-auditor.postinst
new file mode 100644
index 000000000..7d3865080
--- /dev/null
+++ b/debian/taler-auditor.postinst
@@ -0,0 +1,95 @@
+#!/bin/bash
+
+set -e
+
+. /usr/share/debconf/confmodule
+
+case "${1}" in
+	configure)
+		db_version 2.0
+
+		db_get taler-auditor/username
+		_USERNAME="${RET:-taler-auditor-httpd}"
+
+		db_get taler-auditor/groupname
+		_GROUPNAME="${RET:-taler-auditor-httpd}"
+
+		db_stop
+
+		CONFIG_FILE="/etc/default/taler-auditor"
+		TALER_HOME="/var/lib/taler-auditor"
+
+		# Creating taler groups as needed
+		if ! getent group ${_GROUPNAME} > /dev/null
+		then
+			echo -n "Creating new Taler group ${_GROUPNAME}:"
+			addgroup --quiet --system ${_GROUPNAME}
+			echo " done."
+		fi
+		# Creating taler users if needed
+		if ! getent passwd ${_USERNAME} > /dev/null
+		then
+			echo -n "Creating new Taler user ${_USERNAME}:"
+			adduser --quiet --system --ingroup ${_GROUPNAME} --home ${TALER_HOME}/httpd ${_USERNAME}
+			echo " done."
+		fi
+        # Writing new values to configuration file
+        echo -n "Writing new configuration file:"
+        CONFIG_NEW=$(tempfile)
+
+cat > "${CONFIG_NEW}" <<EOF
+# This file controls the behaviour of the Taler init script.
+# It will be parsed as a shell script.
+# please do not edit by hand, use 'dpkg-reconfigure taler-auditor'.
+
+TALER_USER=${_USERNAME}
+TALER_GROUP=${_GROUPNAME}
+EOF
+
+cat > "/etc/systemd/system/taler-auditor-httpd.service" <<EOF
+[Unit]
+Description=GNU Taler payment system auditor REST API
+After=postgres.service network.target
+
+[Service]
+EnvironmentFile=/etc/default/taler-auditor
+User=${_USERNAME}
+Type=simple
+Restart=on-failure
+ExecStart=/usr/bin/taler-auditor-httpd -c /etc/taler-auditor.conf
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+		cp -f "${CONFIG_NEW}" "${CONFIG_FILE}"
+		rm -f "${CONFIG_NEW}"
+		echo " done."
+
+        echo -n "Setting up system services "
+
+        mkdir -p /var/lib/taler-auditor/tmp
+        chown root:${_GROUPNAME} /var/lib/taler-auditor/tmp
+        chmod 770 /var/lib/taler-auditor/tmp
+        chmod +s /var/lib/taler-auditor/tmp
+
+        systemctl daemon-reload
+
+        echo "done."
+
+		# Cleaning
+		echo "All done."
+		;;
+
+	abort-upgrade|abort-remove|abort-deconfigure)
+		;;
+
+	*)
+		echo "postinst called with unknown argument \`${1}'" >&2
+		exit 1
+		;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/taler-auditor.postrm b/debian/taler-auditor.postrm
new file mode 100644
index 000000000..7697a4142
--- /dev/null
+++ b/debian/taler-auditor.postrm
@@ -0,0 +1,58 @@
+#!/bin/sh
+
+set -e
+
+pathfind() {
+	OLDIFS="$IFS"
+	IFS=:
+	for p in $PATH; do
+		if [ -x "$p/$*" ]; then
+			IFS="$OLDIFS"
+			return 0
+		fi
+	done
+	IFS="$OLDIFS"
+	return 1
+}
+
+if [ -f /usr/share/debconf/confmodule ];
+then
+    . /usr/share/debconf/confmodule
+fi
+
+case "${1}" in
+	purge)
+		db_version 2.0
+
+		db_get taler-auditor/username
+		_USERNAME="${RET:-taler-auditor-httpd}"
+
+		db_get taler-auditor/groupname
+		_GROUPNAME="${RET:-taler-auditor-httpd}"
+
+		if pathfind deluser
+		then
+			deluser --quiet --system ${_USERNAME} || true
+		fi
+
+		if pathfind delgroup
+		then
+			delgroup --quiet --system --only-if-empty ${_GROUPNAME} || true
+		fi
+
+		rm -rf /var/log/taler-auditor/ /var/lib/taler-auditor /etc/default/taler-auditor
+		;;
+
+	remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+
+		;;
+
+	*)
+		echo "postrm called with unknown argument \`${1}'" >&2
+		exit 1
+		;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/debian/taler-auditor.templates b/debian/taler-auditor.templates
new file mode 100644
index 000000000..06eac63b7
--- /dev/null
+++ b/debian/taler-auditor.templates
@@ -0,0 +1,16 @@
+Template: taler-auditor/username
+Type: string
+Default: taler-auditor-httpd
+_Description: Taler user:
+ Please choose the user that the taler-auditor-httpd process will run as.
+ .
+ This should be a dedicated account. If the specified account does not
+ already exist, it will automatically be created, with no login shell.
+
+Template: taler-auditor/groupname
+Type: string
+Default: taler-auditor-httpd
+_Description: Taler group:
+ Please choose the group that the taler-auditor-httpd will run as.
+ .
+ This should be a dedicated group, not one that already owns data.
diff --git a/debian/taler-exchange.install b/debian/taler-exchange.install
index eee4a8fc7..add23672c 100644
--- a/debian/taler-exchange.install
+++ b/debian/taler-exchange.install
@@ -1,4 +1,4 @@
 usr/bin/
 usr/lib/*/taler/*.so
 debian/etc/* etc/
-debian/conf/* etc/taler-exchange/
+debian/exchange-conf/* etc/taler-exchange/
diff --git a/debian/taler-exchange.postinst b/debian/taler-exchange.postinst
index 3ef46bf2b..cf48f8782 100644
--- a/debian/taler-exchange.postinst
+++ b/debian/taler-exchange.postinst
@@ -3,26 +3,6 @@
 set -e
 
 
-apache_install() {
-	mkdir -p /etc/apache2/conf-available
-    if [ ! -f /etc/apache2/conf-available/taler-exchange.conf ];
-    then
-	    cp /etc/taler-exchange/apache.conf /etc/apache2/conf-available/taler-exchange.conf
-    fi
-    a2enmod proxy
-    a2enmod proxy_http
-    a2enmod headers
-}
-
-
-nginx_install() {
-	mkdir -p /etc/nginx/conf-available
-    if [ ! -f /etc/apache2/conf-available/taler-exchange.conf ];
-    then
-	    cp /etc/taler-exchange/nginx.conf /etc/nginx/conf-available/taler-exchange.conf
-    fi
-}
-
 . /usr/share/debconf/confmodule
 
 case "${1}" in
-- 
cgit v1.2.3