commit 7122a254bc5dba0586f390dd4fb769e9e13efd16
parent 093f7025a62752f257d87f05cf3edecb2e444315
Author: Antoine A <>
Date: Wed, 12 Nov 2025 15:20:01 +0100
magnet-bank: fix deb package and dbconfig script
Diffstat:
16 files changed, 103 insertions(+), 96 deletions(-)
diff --git a/Cargo.lock b/Cargo.lock
@@ -930,9 +930,9 @@ checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9"
[[package]]
name = "hyper"
-version = "1.7.0"
+version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb3aa54a13a0dfe7fbe3a59e0c76093041720fdc77b110cc0fc260fafb4dc51e"
+checksum = "1744436df46f0bde35af3eda22aeaba453aada65d8f1c171cd8a5f59030bd69f"
dependencies = [
"atomic-waker",
"bytes",
@@ -1389,15 +1389,6 @@ dependencies = [
]
[[package]]
-name = "passterm"
-version = "2.0.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "150ca2316c7813c688677784f20bb0a9efab639415ae1961869863ee99a81e51"
-dependencies = [
- "libc",
-]
-
-[[package]]
name = "pem-rfc7468"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -1715,6 +1706,27 @@ dependencies = [
]
[[package]]
+name = "rpassword"
+version = "7.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "66d4c8b64f049c6721ec8ccec37ddfc3d641c4a7fca57e8f2a89de509c73df39"
+dependencies = [
+ "libc",
+ "rtoolbox",
+ "windows-sys 0.59.0",
+]
+
+[[package]]
+name = "rtoolbox"
+version = "0.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a7cc970b249fbe527d6e02e0a227762c9108b2f49d81094fe357ffc6d14d7f6f"
+dependencies = [
+ "libc",
+ "windows-sys 0.52.0",
+]
+
+[[package]]
name = "rustc-hash"
version = "2.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -2154,9 +2166,9 @@ checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
[[package]]
name = "syn"
-version = "2.0.109"
+version = "2.0.110"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2f17c7e013e88258aa9543dcbe81aca68a667a9ac37cd69c9fbc07858bfe0e2f"
+checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
dependencies = [
"proc-macro2",
"quote",
@@ -2248,10 +2260,10 @@ dependencies = [
"jiff",
"owo-colors",
"p256",
- "passterm",
"percent-encoding",
"rand_core 0.6.4",
"reqwest",
+ "rpassword",
"serde",
"serde_json",
"serde_path_to_error",
@@ -2811,6 +2823,15 @@ dependencies = [
[[package]]
name = "windows-sys"
+version = "0.59.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
+dependencies = [
+ "windows-targets 0.52.6",
+]
+
+[[package]]
+name = "windows-sys"
version = "0.60.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f2f500e4d28234f72040990ec9d39e3a6b950f9f22d3dba18416c35882612bcb"
diff --git a/common/taler-api/src/lib.rs b/common/taler-api/src/lib.rs
@@ -46,14 +46,14 @@ impl Serve {
if let Ok(Some(unix)) = listenfd.take_unix_listener(0) {
info!(target: "api",
"Server listening on activated unix socket {:?}",
- unix.local_addr()
+ unix.local_addr()?
);
unix.set_nonblocking(true)?;
Ok(Listener::Unix(UnixListener::from_std(unix)?))
} else if let Ok(Some(tcp)) = listenfd.take_tcp_listener(0) {
info!(target: "api",
"Server listening on activated TCP socket {:?}",
- tcp.local_addr()
+ tcp.local_addr()?
);
tcp.set_nonblocking(true)?;
Ok(Listener::Tcp(TcpListener::from_std(tcp)?))
diff --git a/contrib/ci/jobs/3-deb/test.sh b/contrib/ci/jobs/3-deb/test.sh
@@ -6,27 +6,33 @@ function step() {
echo -e "\n$@" >&2
}
+USERS="taler-magnet-bank-httpd taler-magnet-bank-worker"
+
step "Install magnet-bank"
-dpkg -i /workdir/target/*/debian/*$ARCH.deb
+dpkg -i /workdir/target/debian/taler-magnet-bank*$ARCH.deb
step "Install magnet-bank again"
-dpkg -i /workdir/target/*/debian/*$ARCH.deb
+dpkg -i /workdir/target/debian/taler-magnet-bank*$ARCH.deb
step "Start postgres cluster"
sudo -u postgres pg_ctlcluster 17 main start
-step "taler-magnet-bank version:"
+step "taler-magnet-bank version"
taler-magnet-bank --version
-step "taler-magnet-bank-httpd user:"
-id taler-magnet-bank-httpd
-
-step "taler-magnet-bank-worker user:"
-id taler-magnet-bank-worker
+for USER in $USERS; do
+ step "$USER user:"
+ id $USER
+done
step "Run dbconfig"
sudo taler-magnet-bank-dbconfig -r
+for USER in $USERS; do
+ step "Check $USER db access"
+ sudo -u $USER psql -d taler-magnet-bank -c "SELECT 1;" &> /dev/null
+done
+
step "Check man pages"
man taler-magnet-bank > /dev/null
man taler-magnet-bank.conf > /dev/null
@@ -38,4 +44,7 @@ step "Reinstall magnet-bank"
dpkg -i /workdir/target/*/debian/*$ARCH.deb
step "Purge magnet-bank:"
-dpkg --purge taler-magnet-bank
-\ No newline at end of file
+dpkg --purge taler-magnet-bank
+
+step "Reinstall magnet-bank"
+dpkg -i /workdir/target/*/debian/*$ARCH.deb
+\ No newline at end of file
diff --git a/contrib/taler-magnet-bank-dbconfig b/contrib/taler-magnet-bank-dbconfig
@@ -126,6 +126,7 @@ fi
# Run dbinit
if [ 0 = "$SKIP_INIT" ]; then
+ echo "Initialize database schema"
if ! sudo -u "$DBUSER" taler-magnet-bank dbinit -c "$CFGFILE"; then
exit_fail "Failed to initialize database schema"
fi
@@ -138,7 +139,11 @@ if [ 0 = "$SKIP_INIT" ] || [ 1 = "$FORCE_PERMS" ]; then
if ! sudo -i -u postgres createuser "$DBGROUP" 2>/dev/null; then
echo "Database group '$DBGROUP' already existed. Continuing anyway." 1>&2
fi
- if ! echo "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO \"$DBGROUP\"" |
+ if ! echo "GRANT ALL ON SCHEMA magnet_bank TO \"$DBGROUP\"" |
+ sudo -i -u postgres psql "$DBNAME"; then
+ exit_fail "Failed to grant access to '$DBGROUP'."
+ fi
+ if ! echo "GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA magnet_bank TO \"$DBGROUP\"" |
sudo -i -u postgres psql "$DBNAME"; then
exit_fail "Failed to grant access to '$DBGROUP'."
fi
@@ -152,7 +157,8 @@ if [ 0 = "$SKIP_INIT" ] || [ 1 = "$FORCE_PERMS" ]; then
echo "Database user '$GROUPIE' already existed. Continuing anyway." 1>&2
fi
fi
- if ! echo "GRANT ROLE \"$DBGROUP\" ON SCHEMA exchange TO \"$GROUPIE\"" |
+
+ if ! echo "GRANT \"$DBGROUP\" TO \"$GROUPIE\"" |
sudo -i -u postgres psql "$DBNAME"; then
exit_fail "Failed to make '$GROUPIE' part of '$DBGROUP' db group."
fi
diff --git a/debian/etc/taler-magnet-bank/conf.d/magnet-bank-httpd.conf b/debian/etc/taler-magnet-bank/conf.d/magnet-bank-httpd.conf
@@ -6,4 +6,4 @@
[magnet-bank-httpd-revenue-api]
# ENABLED = YES
-@inline-secret@ magnet-bank-httpd-revenue-api ../secrets/magnet-bank-httpd.secret.conf
-\ No newline at end of file
+@inline-secret@ magnet-bank-httpd-revenue-api ../secrets/magnet-bank-httpd.secret.conf
diff --git a/debian/etc/taler-magnet-bank/conf.d/magnet-bank-system.conf b/debian/etc/taler-magnet-bank/conf.d/magnet-bank-system.conf
@@ -3,4 +3,3 @@
# Read secret sections into configuration, but only
# if we have permission to do so.
@inline-secret@ magnet-bankdb-postgres ../secrets/magnet-bank-db.secret.conf
-
diff --git a/debian/etc/taler-magnet-bank/conf.d/magnet-bank-worker.conf b/debian/etc/taler-magnet-bank/conf.d/magnet-bank-worker.conf
@@ -2,4 +2,4 @@
[magnet-bank-worker]
KEYS_FILE = ${MAGNET_BANK_HOME}/keys.json
-@inline-secret@ magnet-bank-worker ../secrets/magnet-bank-worker.secret.conf
-\ No newline at end of file
+@inline-secret@ magnet-bank-worker ../secrets/magnet-bank-worker.secret.conf
diff --git a/debian/etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf b/debian/etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf
@@ -4,4 +4,4 @@
[magnet-bank-httpd-revenue-api]
# AUTH_METHOD = bearer
-# TOKEN =
-\ No newline at end of file
+# TOKEN =
diff --git a/debian/etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf b/debian/etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf
@@ -1,3 +1,3 @@
[magnet-bank-worker]
CONSUMER_KEY =
-CONSUMER_SECRET =
-\ No newline at end of file
+CONSUMER_SECRET =
diff --git a/debian/etc/taler-magnet-bank/taler-magnet-bank.conf b/debian/etc/taler-magnet-bank/taler-magnet-bank.conf
@@ -30,4 +30,4 @@
# Paths for the system-wide installation of the Taler Magnet Bank Adapter. Do not remove
# or change these unless you are very sure of what you are doing.
-MAGNET_BANK_HOME = /var/lib/taler-magnet-bank/
-\ No newline at end of file
+MAGNET_BANK_HOME = /var/lib/taler-magnet-bank/
diff --git a/debian/taler-magnet-bank.postinst b/debian/taler-magnet-bank.postinst
@@ -2,44 +2,8 @@
set -e
-MAGNET_HOME="/var/lib/taler-magnet-bank"
-
-# Group with access to our database
-_DBGROUP=taler-magnet-bank-db
-
-# Different users for the different components
-_HTTPDUSER=taler-magnet-bank-httpd
-_WORKERUSER=taler-magnet-bank-worker
-
-if [ "$1" = "configure" ] ; then
- # Create taler groups as needed
- if ! getent group ${_DBGROUP} >/dev/null; then
- addgroup --quiet --system ${_DBGROUP}
- fi
- # Create users as needed
- if ! getent passwd ${_HTTPDUSER} >/dev/null; then
- adduser --quiet --system --no-create-home --ingroup ${_DBGROUP} --home ${MAGNET_HOME} ${_HTTPDUSER}
- fi
- if ! getent passwd ${_WORKERUSER} >/dev/null; then
- adduser --quiet --system --no-create-home --ingroup ${_DBGROUP} --home ${MAGNET_HOME} ${_WORKERUSER}
- fi
-
- # Update secret files permissions
- if ! dpkg-statoverride --list /etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf >/dev/null 2>&1; then
- dpkg-statoverride --add --update \
- root ${_DBGROUP} 460 \
- /etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf
- fi
- if ! dpkg-statoverride --list /etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf >/dev/null 2>&1; then
- dpkg-statoverride --add --update \
- ${_HTTPDUSER} root 640 \
- /etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf
- fi
- if ! dpkg-statoverride --list /etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf >/dev/null 2>&1; then
- dpkg-statoverride --add --update \
- ${_WORKERUSER} root 640 \
- /etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf
- fi
+if command -v systemd-sysusers >/dev/null 2>&1; then
+ systemd-sysusers
fi
#DEBHELPER#
diff --git a/debian/taler-magnet-bank.postrm b/debian/taler-magnet-bank.postrm
@@ -2,23 +2,8 @@
set -e
-# Group with access to our database
-_DBGROUP=taler-magnet-bank-db
-
-# Different users for the different components
-_HTTPDUSER=taler-magnet-bank-httpd
-_WORKERUSER=taler-magnet-bank-worker
-
if [ "$1" = "purge" ] ; then
- # Remove permissions override
- for fs in magnet-bank-db.secret.conf magnet-bank-httpd.secret.conf magnet-bank-worker.secret.conf; do
- dpkg-statoverride --remove /etc/taler-magnet-bank/secrets/$fs || true
- done
- # Remove users
- deluser --quiet --system ${_HTTPDUSER} || true
- deluser --quiet --system ${_WORKERUSER} || true
- # Remove groups
- delgroup --only-if-empty --quiet ${_DBGROUP} || true
+ rm -rf /var/lib/taler-magnet-bank || true
fi
#DEBHELPER#
diff --git a/debian/taler-magnet-bank.sysusers b/debian/taler-magnet-bank.sysusers
@@ -0,0 +1,9 @@
+# Create services users
+u! taler-magnet-bank-worker - "Taler Magnet Bank Adapter worker" /var/lib/taler-magnet-bank
+u! taler-magnet-bank-httpd - "Taler Magnet Bank Adapter server" /var/lib/taler-magnet-bank
+
+
+# Create DB access group
+g taler-magnet-bank-db -
+m taler-magnet-bank-worker taler-magnet-bank-db
+m taler-magnet-bank-httpd taler-magnet-bank-db
+\ No newline at end of file
diff --git a/debian/taler-magnet-bank.tmpfiles b/debian/taler-magnet-bank.tmpfiles
@@ -0,0 +1,7 @@
+# Create home directory
+d /var/lib/taler-magnet-bank 0700 taler-magnet-bank-worker taler-magnet-bank-worker - -
+
+# Update secret files permissions
+z /etc/taler-magnet-bank/secrets/magnet-bank-db.secret.conf 0460 root taler-magnet-bank-db - -
+z /etc/taler-magnet-bank/secrets/magnet-bank-httpd.secret.conf 0640 taler-magnet-bank-httpd root - -
+z /etc/taler-magnet-bank/secrets/magnet-bank-worker.secret.conf 0640 taler-magnet-bank-worker root - -
diff --git a/taler-magnet-bank/Cargo.toml b/taler-magnet-bank/Cargo.toml
@@ -19,7 +19,7 @@ p256 = { version = "0.13.2", features = ["alloc", "ecdsa"] }
spki = "0.7.3"
form_urlencoded = "1.2"
percent-encoding = "2.3"
-passterm = "2.0"
+rpassword = "7.4"
sqlx.workspace = true
serde_json = { workspace = true, features = ["raw_value"] }
jiff = { workspace = true, features = ["serde"] }
@@ -60,6 +60,17 @@ assets = [
"/usr/bin/",
"755",
],
+ # Systemd config files
+ [
+ "../debian/taler-magnet-bank.tmpfiles",
+ "/usr/lib/tmpfiles.d/taler-magnet-bank.conf",
+ "644",
+ ],
+ [
+ "../debian/taler-magnet-bank.sysusers",
+ "/usr/lib/sysusers.d/taler-magnet-bank.conf",
+ "644",
+ ],
# Scripts
[
"../contrib/taler-magnet-bank-dbconfig",
diff --git a/taler-magnet-bank/src/setup.rs b/taler-magnet-bank/src/setup.rs
@@ -98,7 +98,7 @@ pub async fn setup(cfg: WorkerCfg, reset: bool) -> anyhow::Result<()> {
.unwrap(),
token_request.key
);
- let auth_url = passterm::prompt_password_tty(Some("Enter the result URL>"))?;
+ let auth_url = rpassword::prompt_password("Enter the result URL>")?;
let auth_url = reqwest::Url::parse(&auth_url)?;
let token_auth: TokenAuth =
serde_urlencoded::from_str(auth_url.query().unwrap_or_default())?;
@@ -119,7 +119,7 @@ pub async fn setup(cfg: WorkerCfg, reset: bool) -> anyhow::Result<()> {
request.channel,
request.sent_to.join(", ")
);
- let sca_code = passterm::prompt_password_tty(Some("Enter the code>"))?;
+ let sca_code = rpassword::prompt_password("Enter the code>")?;
if let Err(e) = client.perform_sca(&sca_code).await {
// Ignore error if SCA already performed
if !matches!(e.kind, ErrKind::Magnet(MagnetError { ref short_message, .. }) if short_message == "TOKEN_SCA_HITELESITETT")
