From 0ccc6504209c155ee036893288ac0bc7e988d43a Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Sat, 2 Jan 2021 21:21:34 +0100
Subject: fix #6673: fix access rights on package install

---
 debian/conf/apache.conf                    | 2 +-
 debian/conf/nginx.conf                     | 4 ++--
 debian/db/install/pgsql                    | 5 +++++
 debian/etc/taler-merchant.conf             | 2 +-
 debian/taler-merchant.config               | 4 ++++
 debian/taler-merchant.postinst             | 2 +-
 debian/taler-merchant.postrm               | 2 ++
 src/merchant-tools/taler-merchant-dbinit.c | 2 +-
 8 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/debian/conf/apache.conf b/debian/conf/apache.conf
index e25d54c7..e11f6d82 100644
--- a/debian/conf/apache.conf
+++ b/debian/conf/apache.conf
@@ -3,6 +3,6 @@ RewriteEngine On
 RewriteCond "%{HTTP:AUTHORIZATION}" "!= %SECURITYTOKEN%"
 RewriteRule "(.+)/private/" "-" [F]
 
-ProxyPass "unix:/var/lib/taler-merchant/merchant.sock|http://example.com/"
+ProxyPass "unix:/var/lib/taler-merchant/httpd/merchant.sock|http://example.com/"
 RequestHeader add "X-Forwarded-Proto" "https"
 </Location>
diff --git a/debian/conf/nginx.conf b/debian/conf/nginx.conf
index a57a2e19..82aaa306 100644
--- a/debian/conf/nginx.conf
+++ b/debian/conf/nginx.conf
@@ -2,7 +2,7 @@ location ~ /taler-merchant/private/ {
     if ($http_authorization !~ "(?i)ApiKey %SECURITYTOKEN%") {
        return 401;
     }
-    proxy_pass http://unix:/var/lib/taler-merchant/merchant.sock;
+    proxy_pass http://unix:/var/lib/taler-merchant/httpd/merchant.sock;
     proxy_redirect off;
     proxy_set_header Host $host;
     proxy_set_header X-Forwarded-Host "example.com";
@@ -10,7 +10,7 @@ location ~ /taler-merchant/private/ {
 }
 
 location /taler-merchant/ {
-         proxy_pass http://unix:/var/lib/taler-merchant/merchant.sock;
+         proxy_pass http://unix:/var/lib/taler-merchant/httpd/merchant.sock;
          proxy_redirect off;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-Host "example.com";
diff --git a/debian/db/install/pgsql b/debian/db/install/pgsql
index 8173aeff..a69ac671 100755
--- a/debian/db/install/pgsql
+++ b/debian/db/install/pgsql
@@ -45,6 +45,11 @@ if [ -f /etc/dbconfig-common/taler-merchant.conf ]; then
     . /etc/dbconfig-common/taler-merchant.conf
     case "$dbc_dbtype" in
         pgsql)
+            echo "GRANT INSERT, SELECT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO \"$dbc_dbuser\";" \
+                | sudo -u postgres psql "postgres:///$dbc_dbname"
+            echo "GRANT SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public TO \"$dbc_dbuser\";" \
+            | sudo -u postgres psql "postgres:///$dbc_dbname"
+
             taler-config -w \
                          -c /etc/taler-merchant.conf \
                          -s "merchantdb-postgres" \
diff --git a/debian/etc/taler-merchant.conf b/debian/etc/taler-merchant.conf
index ef4c1f52..60e2b72d 100644
--- a/debian/etc/taler-merchant.conf
+++ b/debian/etc/taler-merchant.conf
@@ -4,5 +4,5 @@ CURRENCY = KUDOS
 
 [merchant]
 SERVE = UNIX
-UNIXPATH = /var/lib/taler-merchant/merchant.sock
+UNIXPATH = /var/lib/taler-merchant/httpd/merchant.sock
 DATABASE = postgres
diff --git a/debian/taler-merchant.config b/debian/taler-merchant.config
index 6eac093d..35d901ce 100644
--- a/debian/taler-merchant.config
+++ b/debian/taler-merchant.config
@@ -28,6 +28,10 @@ dbc_authmethod_user=ident
 dbc_authmethod_admin=ident
 
 
+db_get taler-merchant/username
+_USERNAME="${RET:-taler-merchant-httpd}"
+dbc_dbuser=${_USERNAME}
+
 
 if [ -f /usr/share/dbconfig-common/dpkg/config.pgsql ]; then
     . /usr/share/dbconfig-common/dpkg/config.pgsql
diff --git a/debian/taler-merchant.postinst b/debian/taler-merchant.postinst
index dfd3e3de..54268d24 100644
--- a/debian/taler-merchant.postinst
+++ b/debian/taler-merchant.postinst
@@ -25,7 +25,7 @@ apache_install() {
 # 1st argument will be the SECURITYTOKEN to use.
 nginx_install() {
 	mkdir -p /etc/nginx/conf-available
-    if [ ! -f /etc/apache2/conf-available/taler-merchant.conf ];
+    if [ ! -f /etc/nginx/conf-available/taler-merchant.conf ];
     then
 	    cat /etc/taler-merchant/nginx.conf | sed -e "s/%SECURITYTOKEN%/$1/" > /etc/nginx/conf-available/taler-merchant.conf
     fi
diff --git a/debian/taler-merchant.postrm b/debian/taler-merchant.postrm
index 3cf433e1..0f7a8baa 100644
--- a/debian/taler-merchant.postrm
+++ b/debian/taler-merchant.postrm
@@ -58,6 +58,8 @@ fi
 
 case "${1}" in
 	purge)
+    rm -f /var/lib/taler-merchant/master-api-key.txt
+    rmdir /var/lib/taler-merchant/httpd/
   	if [ -e /usr/share/debconf/confmodule ]
 		then
 			. /usr/share/debconf/confmodule
diff --git a/src/merchant-tools/taler-merchant-dbinit.c b/src/merchant-tools/taler-merchant-dbinit.c
index 73ec3519..9c0f855d 100644
--- a/src/merchant-tools/taler-merchant-dbinit.c
+++ b/src/merchant-tools/taler-merchant-dbinit.c
@@ -1,6 +1,6 @@
 /*
   This file is part of TALER
-  Copyright (C) 2014, 2015 Taler Systems SA
+  Copyright (C) 2014, 2015, 2020 Taler Systems SA
 
   TALER is free software; you can redistribute it and/or modify it under the
   terms of the GNU General Public License as published by the Free Software
-- 
cgit v1.2.3