Fix typo to repair oauth and simple auth login

Second time breakage, time for a test ;-)

box.js

@@ -14,6 +14,7 @@ var appHealthMonitor = require('./src/apphealthmonitor.js'),
     async = require('async'),
     config = require('./src/config.js'),
     ldap = require('./src/ldap.js'),
+    simpleauth = require('./src/simpleauth.js'),
     oauthproxy = require('./src/oauthproxy.js'),
     server = require('./src/server.js');
 
@@ -35,6 +36,7 @@ console.log();
 async.series([
     server.start,
     ldap.start,
+    simpleauth.start,
     appHealthMonitor.start,
     oauthproxy.start
 ], function (error) {
@@ -49,6 +51,7 @@ var NOOP_CALLBACK = function () { };
 process.on('SIGINT', function () {
     server.stop(NOOP_CALLBACK);
     ldap.stop(NOOP_CALLBACK);
+    simpleauth.stop(NOOP_CALLBACK);
     oauthproxy.stop(NOOP_CALLBACK);
     setTimeout(process.exit.bind(process), 3000);
 });
@@ -56,6 +59,7 @@ process.on('SIGINT', function () {
 process.on('SIGTERM', function () {
     server.stop(NOOP_CALLBACK);
     ldap.stop(NOOP_CALLBACK);
+    simpleauth.stop(NOOP_CALLBACK);
     oauthproxy.stop(NOOP_CALLBACK);
     setTimeout(process.exit.bind(process), 3000);
 });

migrations/20151013073519-apps-add-oauthProxy.js

@@ -0,0 +1,17 @@
+dbm = dbm || require('db-migrate');
+var type = dbm.dataType;
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN oauthProxy BOOLEAN DEFAULT 0', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN oauthProxy', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+

migrations/schema.sql

@@ -30,7 +30,7 @@ CREATE TABLE IF NOT EXISTS tokens(
 
 CREATE TABLE IF NOT EXISTS clients(
     id VARCHAR(128) NOT NULL UNIQUE,
-    appId VARCHAR(128) NOT NULL,
+    appId VARCHAR(128) NOT NULL,                // this is for the form <type>-appId to allow easy clearing of tokens of a type
     clientSecret VARCHAR(512) NOT NULL,
     redirectURI VARCHAR(512) NOT NULL,
     scope VARCHAR(512) NOT NULL,
@@ -49,10 +49,14 @@ CREATE TABLE IF NOT EXISTS apps(
     location VARCHAR(128) NOT NULL UNIQUE,
     dnsRecordId VARCHAR(512),
     accessRestriction VARCHAR(512),
+    oauthProxy BOOLEAN DEFAULT 0,
     createdAt TIMESTAMP(2) NOT NULL DEFAULT CURRENT_TIMESTAMP,
 
     lastBackupId VARCHAR(128),
     lastBackupConfigJson VARCHAR(2048), // used for appstore and non-appstore installs. it's here so it's easy to do REST validation
+
+    oldConfigJson VARCHAR(2048), // used to pass old config for apptask
+
     PRIMARY KEY(id));
 
 CREATE TABLE IF NOT EXISTS appPortBindings(

package.json

@@ -16,7 +16,7 @@
     "async": "^1.2.1",
     "aws-sdk": "^2.1.46",
     "body-parser": "^1.13.1",
-    "cloudron-manifestformat": "^1.7.0",
+    "cloudron-manifestformat": "^1.9.1",
     "connect-ensure-login": "^0.1.1",
     "connect-lastmile": "0.0.13",
     "connect-timeout": "^1.5.0",

setup/INFRA_VERSION

@@ -3,15 +3,15 @@
 # If you change the infra version, be sure to put a warning
 # in the change log
 
-INFRA_VERSION=11
+INFRA_VERSION=16
 
 # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 # These constants are used in the installer script as well
-BASE_IMAGE=cloudron/base:0.4.0
-MYSQL_IMAGE=cloudron/mysql:0.4.0
-POSTGRESQL_IMAGE=cloudron/postgresql:0.4.0
-MONGODB_IMAGE=cloudron/mongodb:0.4.0
-REDIS_IMAGE=cloudron/redis:0.4.0 # if you change this, fix src/addons.js as well
-MAIL_IMAGE=cloudron/mail:0.4.0
-GRAPHITE_IMAGE=cloudron/graphite:0.4.0
+BASE_IMAGE=cloudron/base:0.6.0
+MYSQL_IMAGE=cloudron/mysql:0.6.0
+POSTGRESQL_IMAGE=cloudron/postgresql:0.6.0
+MONGODB_IMAGE=cloudron/mongodb:0.6.0
+REDIS_IMAGE=cloudron/redis:0.6.1 # if you change this, fix src/addons.js as well
+MAIL_IMAGE=cloudron/mail:0.6.0
+GRAPHITE_IMAGE=cloudron/graphite:0.6.0
 

setup/start/setup_infra.sh

@@ -34,17 +34,18 @@ graphite_container_id=$(docker run --restart=always -d --name="graphite" \
     -p 127.0.0.1:2004:2004 \
     -p 127.0.0.1:8000:8000 \
     -v "${DATA_DIR}/graphite:/app/data" \
+    --read-only -v /tmp -v /run -v /var/log \
     "${GRAPHITE_IMAGE}")
 echo "Graphite container id: ${graphite_container_id}"
 
-# mail
+# mail (MAIL_SMTP_PORT is 2500 in addons.js. used in mailer.js as well)
 mail_container_id=$(docker run --restart=always -d --name="mail" \
     -m 75m \
     --memory-swap 150m \
-    -p 127.0.0.1:25:25 \
     -h "${arg_fqdn}" \
     -e "DOMAIN_NAME=${arg_fqdn}" \
     -v "${DATA_DIR}/box/mail:/app/data" \
+    --read-only -v /tmp -v /run -v /var/log \
     "${MAIL_IMAGE}")
 echo "Mail container id: ${mail_container_id}"
 
@@ -61,6 +62,7 @@ mysql_container_id=$(docker run --restart=always -d --name="mysql" \
     -h "${arg_fqdn}" \
     -v "${DATA_DIR}/mysql:/var/lib/mysql" \
     -v "${DATA_DIR}/addons/mysql_vars.sh:/etc/mysql/mysql_vars.sh:ro" \
+    --read-only -v /tmp -v /run -v /var/log \
     "${MYSQL_IMAGE}")
 echo "MySQL container id: ${mysql_container_id}"
 
@@ -75,6 +77,7 @@ postgresql_container_id=$(docker run --restart=always -d --name="postgresql" \
     -h "${arg_fqdn}" \
     -v "${DATA_DIR}/postgresql:/var/lib/postgresql" \
     -v "${DATA_DIR}/addons/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh:ro" \
+    --read-only -v /tmp -v /run -v /var/log \
     "${POSTGRESQL_IMAGE}")
 echo "PostgreSQL container id: ${postgresql_container_id}"
 
@@ -89,16 +92,18 @@ mongodb_container_id=$(docker run --restart=always -d --name="mongodb" \
     -h "${arg_fqdn}" \
     -v "${DATA_DIR}/mongodb:/var/lib/mongodb" \
     -v "${DATA_DIR}/addons/mongodb_vars.sh:/etc/mongodb_vars.sh:ro" \
+    --read-only -v /tmp -v /run -v /var/log \
     "${MONGODB_IMAGE}")
 echo "Mongodb container id: ${mongodb_container_id}"
 
+# only touch apps in installed state. any other state is just resumed by the taskmanager
 if [[ "${infra_version}" == "none" ]]; then
-    # if no existing infra was found (for new and restoring cloudons), download app backups
+    # if no existing infra was found (for new, upgraded and restored cloudons), download app backups
     echo "Marking installed apps for restore"
-    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_restore" WHERE installationState = "installed"' box
+    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_restore", oldConfigJson = NULL WHERE installationState = "installed"' box
 else
     # if existing infra was found, just mark apps for reconfiguration
-    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_configure" WHERE installationState = "installed"' box
+    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_configure", oldConfigJson = NULL  WHERE installationState = "installed"' box
 fi
 
 echo -n "${INFRA_VERSION}" > "${DATA_DIR}/INFRA_VERSION"

src/addons.js

@@ -11,8 +11,8 @@ exports = module.exports = {
     getBindsSync: getBindsSync,
 
     // exported for testing
-    _allocateOAuthCredentials: allocateOAuthCredentials,
-    _removeOAuthCredentials: removeOAuthCredentials
+    _setupOauth: setupOauth,
+    _teardownOauth: teardownOauth
 };
 
 var appdb = require('./appdb.js'),
@@ -35,27 +35,26 @@ var appdb = require('./appdb.js'),
     safe = require('safetydance'),
     shell = require('./shell.js'),
     spawn = child_process.spawn,
-    tokendb = require('./tokendb.js'),
     util = require('util'),
     uuid = require('node-uuid'),
     vbox = require('./vbox.js');
 
-var NOOP = function (app, callback) { return callback(); };
+var NOOP = function (app, options, callback) { return callback(); };
 
 // setup can be called multiple times for the same app (configure crash restart) and existing data must not be lost
 // teardown is destructive. app data stored with the addon is lost
 var KNOWN_ADDONS = {
     oauth: {
-        setup: allocateOAuthCredentials,
-        teardown: removeOAuthCredentials,
+        setup: setupOauth,
+        teardown: teardownOauth,
         backup: NOOP,
-        restore: allocateOAuthCredentials
+        restore: setupOauth
     },
-    token: {
-        setup: allocateAccessToken,
-        teardown: removeAccessToken,
+    simpleauth: {
+        setup: setupSimpleAuth,
+        teardown: teardownSimpleAuth,
         backup: NOOP,
-        restore: allocateAccessToken
+        restore: setupSimpleAuth
     },
     ldap: {
         setup: setupLdap,
@@ -90,7 +89,7 @@ var KNOWN_ADDONS = {
     redis: {
         setup: setupRedis,
         teardown: teardownRedis,
-        backup: NOOP, // no backup because we store redis as part of app's volume
+        backup: backupRedis,
         restore: setupRedis // same thing
     },
     localstorage: {
@@ -128,9 +127,9 @@ function setupAddons(app, addons, callback) {
     async.eachSeries(Object.keys(addons), function iterator(addon, iteratorCallback) {
         if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new Error('No such addon:' + addon));
 
-        debugApp(app, 'Setting up addon %s', addon);
+        debugApp(app, 'Setting up addon %s with options %j', addon, addons[addon]);
 
-        KNOWN_ADDONS[addon].setup(app, iteratorCallback);
+        KNOWN_ADDONS[addon].setup(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -146,9 +145,9 @@ function teardownAddons(app, addons, callback) {
     async.eachSeries(Object.keys(addons), function iterator(addon, iteratorCallback) {
         if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new Error('No such addon:' + addon));
 
-        debugApp(app, 'Tearing down addon %s', addon);
+        debugApp(app, 'Tearing down addon %s with options %j', addon, addons[addon]);
 
-        KNOWN_ADDONS[addon].teardown(app, iteratorCallback);
+        KNOWN_ADDONS[addon].teardown(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -166,7 +165,7 @@ function backupAddons(app, addons, callback) {
     async.eachSeries(Object.keys(addons), function iterator (addon, iteratorCallback) {
         if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new Error('No such addon:' + addon));
 
-        KNOWN_ADDONS[addon].backup(app, iteratorCallback);
+        KNOWN_ADDONS[addon].backup(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -184,7 +183,7 @@ function restoreAddons(app, addons, callback) {
     async.eachSeries(Object.keys(addons), function iterator (addon, iteratorCallback) {
         if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new Error('No such addon:' + addon));
 
-        KNOWN_ADDONS[addon].restore(app, iteratorCallback);
+        KNOWN_ADDONS[addon].restore(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -236,22 +235,24 @@ function getBindsSync(app, addons) {
     return binds;
 }
 
-function allocateOAuthCredentials(app, callback) {
+function setupOauth(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     var appId = app.id;
-    var id = 'cid-addon-' + uuid.v4();
+    var id = 'cid-addon-oauth-' + uuid.v4();
     var clientSecret = hat(256);
     var redirectURI = 'https://' + config.appFqdn(app.location);
     var scope = 'profile,roleUser';
 
-    debugApp(app, 'allocateOAuthCredentials: id:%s clientSecret:%s', id, clientSecret);
+    debugApp(app, 'setupOauth: id:%s clientSecret:%s', id, clientSecret);
 
-    clientdb.delByAppId('addon-' + appId, function (error) { // remove existing creds
+    // ensure 'addon-oauth-' is in sync with oauth.js
+    clientdb.delByAppId('addon-oauth-' + appId, function (error) { // remove existing creds
         if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(error);
 
-        clientdb.add(id, 'addon-' + appId, clientSecret, redirectURI, scope, function (error) {
+        clientdb.add(id, 'addon-oauth-' + appId, clientSecret, redirectURI, scope, function (error) {
             if (error) return callback(error);
 
             var env = [
@@ -267,27 +268,76 @@ function allocateOAuthCredentials(app, callback) {
     });
 }
 
-function removeOAuthCredentials(app, callback) {
+function teardownOauth(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    debugApp(app, 'removeOAuthCredentials');
+    debugApp(app, 'teardownOauth');
 
-    clientdb.delByAppId('addon-' + app.id, function (error) {
+    clientdb.delByAppId('addon-oauth-' + app.id, function (error) {
         if (error && error.reason !== DatabaseError.NOT_FOUND) console.error(error);
 
         appdb.unsetAddonConfig(app.id, 'oauth', callback);
     });
 }
 
-function setupLdap(app, callback) {
+function setupSimpleAuth(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var appId = app.id;
+    var id = 'cid-addon-simpleauth-' + uuid.v4();
+    var scope = 'profile,roleUser';
+
+    debugApp(app, 'setupSimpleAuth: id:%s', id);
+
+    // ensure 'addon-simpleauth-' is in sync with oauth.js
+    clientdb.delByAppId('addon-simpleauth-' + appId, function (error) { // remove existing creds
+        if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(error);
+
+        clientdb.add(id, 'addon-simpleauth-' + appId, '', '', scope, function (error) {
+            if (error) return callback(error);
+
+            var env = [
+                'SIMPLE_AUTH_SERVER=172.17.42.1',
+                'SIMPLE_AUTH_PORT=' + config.get('simpleAuthPort'),
+                'SIMPLE_AUTH_URL=http://172.17.42.1:' + config.get('simpleAuthPort'), // obsolete, remove
+                'SIMPLE_AUTH_ORIGIN=http://172.17.42.1:' + config.get('simpleAuthPort'),
+                'SIMPLE_AUTH_CLIENT_ID=' + id
+            ];
+
+            debugApp(app, 'Setting simple auth addon config to %j', env);
+
+            appdb.setAddonConfig(appId, 'simpleauth', env, callback);
+        });
+    });
+}
+
+function teardownSimpleAuth(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debugApp(app, 'teardownSimpleAuth');
+
+    clientdb.delByAppId('addon-simpleauth-' + app.id, function (error) {
+        if (error && error.reason !== DatabaseError.NOT_FOUND) console.error(error);
+
+        appdb.unsetAddonConfig(app.id, 'simpleauth', callback);
+    });
+}
+
+function setupLdap(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     var env = [
         'LDAP_SERVER=172.17.42.1',
-        'LDAP_PORT=3002',
-        'LDAP_URL=ldap://172.17.42.1:3002',
+        'LDAP_PORT=' + config.get('ldapPort'),
+        'LDAP_URL=ldap://172.17.42.1:' + config.get('ldapPort'),
         'LDAP_USERS_BASE_DN=ou=users,dc=cloudron',
         'LDAP_GROUPS_BASE_DN=ou=groups,dc=cloudron',
         'LDAP_BIND_DN=cn='+ app.id + ',ou=apps,dc=cloudron',
@@ -299,8 +349,9 @@ function setupLdap(app, callback) {
     appdb.setAddonConfig(app.id, 'ldap', env, callback);
 }
 
-function teardownLdap(app, callback) {
+function teardownLdap(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     debugApp(app, 'Tearing down LDAP');
@@ -308,13 +359,14 @@ function teardownLdap(app, callback) {
     appdb.unsetAddonConfig(app.id, 'ldap', callback);
 }
 
-function setupSendMail(app, callback) {
+function setupSendMail(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     var env = [
         'MAIL_SMTP_SERVER=mail',
-        'MAIL_SMTP_PORT=25',
+        'MAIL_SMTP_PORT=2500', // if you change this, change the mail container
         'MAIL_SMTP_USERNAME=' + (app.location || app.id), // use app.id for bare domains
         'MAIL_DOMAIN=' + config.fqdn()
     ];
@@ -324,8 +376,9 @@ function setupSendMail(app, callback) {
     appdb.setAddonConfig(app.id, 'sendmail', env, callback);
 }
 
-function teardownSendMail(app, callback) {
+function teardownSendMail(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     debugApp(app, 'Tearing down sendmail');
@@ -333,8 +386,9 @@ function teardownSendMail(app, callback) {
     appdb.unsetAddonConfig(app.id, 'sendmail', callback);
 }
 
-function setupMySql(app, callback) {
+function setupMySql(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     debugApp(app, 'Setting up mysql');
@@ -367,7 +421,11 @@ function setupMySql(app, callback) {
     });
 }
 
-function teardownMySql(app, callback) {
+function teardownMySql(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
     var container = docker.getContainer('mysql');
     var cmd = [ '/addons/mysql/service.sh', 'remove', app.id ];
 
@@ -389,7 +447,7 @@ function teardownMySql(app, callback) {
     });
 }
 
-function backupMySql(app, callback) {
+function backupMySql(app, options, callback) {
     debugApp(app, 'Backing up mysql');
 
     callback = once(callback); // ChildProcess exit may or may not be called after error
@@ -408,10 +466,10 @@ function backupMySql(app, callback) {
     cp.stderr.pipe(process.stderr);
 }
 
-function restoreMySql(app, callback) {
+function restoreMySql(app, options, callback) {
     callback = once(callback); // ChildProcess exit may or may not be called after error
 
-    setupMySql(app, function (error) {
+    setupMySql(app, options, function (error) {
         if (error) return callback(error);
 
         debugApp(app, 'restoreMySql');
@@ -433,8 +491,9 @@ function restoreMySql(app, callback) {
     });
 }
 
-function setupPostgreSql(app, callback) {
+function setupPostgreSql(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     debugApp(app, 'Setting up postgresql');
@@ -467,7 +526,11 @@ function setupPostgreSql(app, callback) {
     });
 }
 
-function teardownPostgreSql(app, callback) {
+function teardownPostgreSql(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
     var container = docker.getContainer('postgresql');
     var cmd = [ '/addons/postgresql/service.sh', 'remove', app.id ];
 
@@ -489,7 +552,7 @@ function teardownPostgreSql(app, callback) {
     });
 }
 
-function backupPostgreSql(app, callback) {
+function backupPostgreSql(app, options, callback) {
     debugApp(app, 'Backing up postgresql');
 
     callback = once(callback); // ChildProcess exit may or may not be called after error
@@ -508,10 +571,10 @@ function backupPostgreSql(app, callback) {
     cp.stderr.pipe(process.stderr);
 }
 
-function restorePostgreSql(app, callback) {
+function restorePostgreSql(app, options, callback) {
     callback = once(callback); // ChildProcess exit may or may not be called after error
 
-    setupPostgreSql(app, function (error) {
+    setupPostgreSql(app, options, function (error) {
         if (error) return callback(error);
 
         debugApp(app, 'restorePostgreSql');
@@ -533,8 +596,9 @@ function restorePostgreSql(app, callback) {
     });
 }
 
-function setupMongoDb(app, callback) {
+function setupMongoDb(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     debugApp(app, 'Setting up mongodb');
@@ -567,7 +631,11 @@ function setupMongoDb(app, callback) {
     });
 }
 
-function teardownMongoDb(app, callback) {
+function teardownMongoDb(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
     var container = docker.getContainer('mongodb');
     var cmd = [ '/addons/mongodb/service.sh', 'remove', app.id ];
 
@@ -589,7 +657,7 @@ function teardownMongoDb(app, callback) {
     });
 }
 
-function backupMongoDb(app, callback) {
+function backupMongoDb(app, options, callback) {
     debugApp(app, 'Backing up mongodb');
 
     callback = once(callback); // ChildProcess exit may or may not be called after error
@@ -608,10 +676,10 @@ function backupMongoDb(app, callback) {
     cp.stderr.pipe(process.stderr);
 }
 
-function restoreMongoDb(app, callback) {
+function restoreMongoDb(app, options, callback) {
     callback = once(callback); // ChildProcess exit may or may not be called after error
 
-    setupMongoDb(app, function (error) {
+    setupMongoDb(app, options, function (error) {
         if (error) return callback(error);
 
         debugApp(app, 'restoreMongoDb');
@@ -650,8 +718,30 @@ function forwardRedisPort(appId, callback) {
     });
 }
 
+function stopAndRemoveRedis(container, callback) {
+    function ignoreError(func) {
+        return function (callback) {
+            func(function (error) {
+                if (error) debug('stopAndRemoveRedis: Ignored error:', error);
+                callback();
+            });
+        };
+    }
+
+    // stopping redis with SIGTERM makes it commit the database to disk
+    async.series([
+        ignoreError(container.stop.bind(container, { t: 10 })),
+        ignoreError(container.wait.bind(container)),
+        ignoreError(container.remove.bind(container, { force: true, v: true }))
+    ], callback);
+}
+
 // Ensures that app's addon redis container is running. Can be called when named container already exists/running
-function setupRedis(app, callback) {
+function setupRedis(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
     var redisPassword = generatePassword(64, false /* memorable */);
     var redisVarsFile = path.join(paths.ADDON_CONFIG_DIR, 'redis-' + app.id + '_vars.sh');
     var redisDataDir = path.join(paths.DATA_DIR, app.id + '/redis');
@@ -666,9 +756,13 @@ function setupRedis(app, callback) {
         name: 'redis-' + app.id,
         Hostname: config.appFqdn(app.location),
         Tty: true,
-        Image: 'cloudron/redis:0.4.0', // if you change this, fix setup/INFRA_VERSION as well
+        Image: 'cloudron/redis:0.6.1', // if you change this, fix setup/INFRA_VERSION as well
         Cmd: null,
-        Volumes: {},
+        Volumes: {
+            '/tmp': {},
+            '/run': {},
+            '/var/log': {}
+        },
         VolumesFrom: []
     };
 
@@ -686,6 +780,7 @@ function setupRedis(app, callback) {
         PortBindings: {
             '6379/tcp': [{ HostPort: '0', HostIp: isMac ? '0.0.0.0' : '127.0.0.1' }]
         },
+        ReadonlyRootfs: true,
         RestartPolicy: {
             'Name': 'always',
             'MaximumRetryCount': 0
@@ -700,7 +795,7 @@ function setupRedis(app, callback) {
     ];
 
     var redisContainer = docker.getContainer(createOptions.name);
-    redisContainer.remove({ force: true, v: false }, function (ignoredError) {
+    stopAndRemoveRedis(redisContainer, function () {
         docker.createContainer(createOptions, function (error) {
             if (error && error.statusCode !== 409) return callback(error); // if not already created
 
@@ -717,12 +812,16 @@ function setupRedis(app, callback) {
     });
 }
 
-function teardownRedis(app, callback) {
+function teardownRedis(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
    var container = docker.getContainer('redis-' + app.id);
 
    var removeOptions = {
        force: true, // kill container if it's running
-       v: false // removes volumes associated with the container
+       v: true // removes volumes associated with the container
    };
 
    container.remove(removeOptions, function (error) {
@@ -740,40 +839,18 @@ function teardownRedis(app, callback) {
    });
 }
 
-function allocateAccessToken(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
+function backupRedis(app, options, callback) {
+    debugApp(app, 'Backing up redis');
 
-    var token = tokendb.generateToken();
-    var expiresAt = Number.MAX_SAFE_INTEGER;    // basically never expire
-    var scopes = 'profile,users';               // TODO This should be put into the manifest and the user should know those
-    var clientId = '';                          // meaningless for apps so far
+    callback = once(callback); // ChildProcess exit may or may not be called after error
 
-   tokendb.delByIdentifier(tokendb.PREFIX_APP + app.id, function (error) {
-        if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(error);
-
-        tokendb.add(token, tokendb.PREFIX_APP + app.id, clientId, expiresAt, scopes, function (error) {
-            if (error) return callback(error);
-
-            var env = [
-                'CLOUDRON_TOKEN=' + token
-            ];
-
-            debugApp(app, 'Setting token addon config to %j', env);
-
-            appdb.setAddonConfig(appId, 'token', env, callback);
-        });
+    var cp = spawn('/usr/bin/docker', [ 'exec', 'redis-' + app.id, '/addons/redis/service.sh', 'backup' ]);
+    cp.on('error', callback);
+    cp.on('exit', function (code, signal) {
+        debugApp(app, 'backupRedis: done. code:%s signal:%s', code, signal);
+        if (!callback.called) callback(code ? 'backupRedis failed with status ' + code : null);
     });
+
+    cp.stdout.pipe(process.stdout);
+    cp.stderr.pipe(process.stderr);
 }
-
-function removeAccessToken(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    tokendb.delByIdentifier(tokendb.PREFIX_APP + app.id, function (error) {
-        if (error && error.reason !== DatabaseError.NOT_FOUND) console.error(error);
-
-        appdb.unsetAddonConfig(app.id, 'token', callback);
-    });
-}
-

src/appdb.js

@@ -40,7 +40,6 @@ exports = module.exports = {
     RSTATE_PENDING_START: 'pending_start',
     RSTATE_PENDING_STOP: 'pending_stop',
     RSTATE_STOPPED: 'stopped', // app stopped by use
-    RSTATE_ERROR: 'error',
 
     // run codes (keep in sync in UI)
     HEALTH_HEALTHY: 'healthy',
@@ -60,11 +59,11 @@ var assert = require('assert'),
 
 var APPS_FIELDS = [ 'id', 'appStoreId', 'installationState', 'installationProgress', 'runState',
     'health', 'containerId', 'manifestJson', 'httpPort', 'location', 'dnsRecordId',
-    'accessRestriction', 'lastBackupId', 'lastBackupConfigJson', 'oldConfigJson' ].join(',');
+    'accessRestriction', 'lastBackupId', 'lastBackupConfigJson', 'oldConfigJson', 'oauthProxy' ].join(',');
 
 var APPS_FIELDS_PREFIXED = [ 'apps.id', 'apps.appStoreId', 'apps.installationState', 'apps.installationProgress', 'apps.runState',
     'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'apps.location', 'apps.dnsRecordId',
-    'apps.accessRestriction', 'apps.lastBackupId', 'apps.lastBackupConfigJson', 'apps.oldConfigJson' ].join(',');
+    'apps.accessRestriction', 'apps.lastBackupId', 'apps.lastBackupConfigJson', 'apps.oldConfigJson', 'apps.oauthProxy' ].join(',');
 
 var PORT_BINDINGS_FIELDS = [ 'hostPort', 'environmentVariable', 'appId' ].join(',');
 
@@ -96,6 +95,8 @@ function postProcess(result) {
     for (var i = 0; i < environmentVariables.length; i++) {
         result.portBindings[environmentVariables[i]] = parseInt(hostPorts[i], 10);
     }
+
+    result.oauthProxy = !!result.oauthProxy;
 }
 
 function get(id, callback) {
@@ -177,7 +178,7 @@ function getAll(callback) {
     });
 }
 
-function add(id, appStoreId, manifest, location, portBindings, accessRestriction, callback) {
+function add(id, appStoreId, manifest, location, portBindings, accessRestriction, oauthProxy, callback) {
     assert.strictEqual(typeof id, 'string');
     assert.strictEqual(typeof appStoreId, 'string');
     assert(manifest && typeof manifest === 'object');
@@ -185,6 +186,7 @@ function add(id, appStoreId, manifest, location, portBindings, accessRestriction
     assert.strictEqual(typeof location, 'string');
     assert.strictEqual(typeof portBindings, 'object');
     assert.strictEqual(typeof accessRestriction, 'string');
+    assert.strictEqual(typeof oauthProxy, 'boolean');
     assert.strictEqual(typeof callback, 'function');
 
     portBindings = portBindings || { };
@@ -193,8 +195,8 @@ function add(id, appStoreId, manifest, location, portBindings, accessRestriction
 
     var queries = [ ];
     queries.push({
-        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, accessRestriction) VALUES (?, ?, ?, ?, ?, ?)',
-        args: [ id, appStoreId, manifestJson, exports.ISTATE_PENDING_INSTALL, location, accessRestriction ]
+        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, accessRestriction, oauthProxy) VALUES (?, ?, ?, ?, ?, ?, ?)',
+        args: [ id, appStoreId, manifestJson, exports.ISTATE_PENDING_INSTALL, location, accessRestriction, oauthProxy ]
     });
 
     Object.keys(portBindings).forEach(function (env) {

src/apphealthmonitor.js

@@ -46,7 +46,7 @@ function setHealth(app, health, callback) {
 
         debugApp(app, 'marking as unhealthy since not seen for more than %s minutes', UNHEALTHY_THRESHOLD/(60 * 1000));
 
-        mailer.appDied(app);
+        if (app.appStoreId !== '') mailer.appDied(app); // do not send mails for dev apps
         gHealthInfo[app.id].emailSent = true;
     } else {
         debugApp(app, 'waiting for sometime to update the app health');
@@ -147,7 +147,9 @@ function processDockerEvents() {
                 if (app) context = context + '\n\n' + JSON.stringify(app, null, 4) + '\n';
 
                 debug('OOM Context: %s', context);
-                mailer.sendCrashNotification(program, context); // app can be null if it's an addon crash
+
+                // do not send mails for dev apps
+                if (app.appStoreId !== '') mailer.sendCrashNotification(program, context); // app can be null if it's an addon crash
             });
         });
 

src/apps.js

@@ -152,6 +152,7 @@ function validatePortBindings(portBindings, tcpPorts) {
         config.get('internalPort'), /* internal app server (lo) */
         config.get('ldapPort'), /* ldap server (lo) */
         config.get('oauthProxyPort'), /* oauth proxy server (lo) */
+        config.get('simpleAuthPort'), /* simple auth server (lo) */
         3306, /* mysql (lo) */
         8000 /* graphite (lo) */
     ];
@@ -280,13 +281,14 @@ function purchase(appStoreId, callback) {
     });
 }
 
-function install(appId, appStoreId, manifest, location, portBindings, accessRestriction, icon, callback) {
+function install(appId, appStoreId, manifest, location, portBindings, accessRestriction, oauthProxy, icon, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof appStoreId, 'string');
     assert(manifest && typeof manifest === 'object');
     assert.strictEqual(typeof location, 'string');
     assert.strictEqual(typeof portBindings, 'object');
     assert.strictEqual(typeof accessRestriction, 'string');
+    assert.strictEqual(typeof oauthProxy, 'boolean');
     assert(!icon || typeof icon === 'string');
     assert.strictEqual(typeof callback, 'function');
 
@@ -318,7 +320,7 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest
     purchase(appStoreId, function (error) {
         if (error) return callback(error);
 
-        appdb.add(appId, appStoreId, manifest, location.toLowerCase(), portBindings, accessRestriction, function (error) {
+        appdb.add(appId, appStoreId, manifest, location.toLowerCase(), portBindings, accessRestriction, oauthProxy, function (error) {
             if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location.toLowerCase(), portBindings, error));
             if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
 
@@ -329,11 +331,12 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest
     });
 }
 
-function configure(appId, location, portBindings, accessRestriction, callback) {
+function configure(appId, location, portBindings, accessRestriction, oauthProxy, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof location, 'string');
     assert.strictEqual(typeof portBindings, 'object');
     assert.strictEqual(typeof accessRestriction, 'string');
+    assert.strictEqual(typeof oauthProxy, 'boolean');
     assert.strictEqual(typeof callback, 'function');
 
     var error = validateHostname(location, config.fqdn());
@@ -352,12 +355,14 @@ function configure(appId, location, portBindings, accessRestriction, callback) {
         var values = {
             location: location.toLowerCase(),
             accessRestriction: accessRestriction,
+            oauthProxy: oauthProxy,
             portBindings: portBindings,
 
             oldConfig: {
                 location: app.location,
                 accessRestriction: app.accessRestriction,
-                portBindings: app.portBindings
+                portBindings: app.portBindings,
+                oauthProxy: app.oauthProxy
             }
         };
 
@@ -511,6 +516,7 @@ function restore(appId, callback) {
                 oldConfig: {
                     location: app.location,
                     accessRestriction: app.accessRestriction,
+                    oauthProxy: app.oauthProxy,
                     portBindings: app.portBindings,
                     manifest: app.manifest
                 }
@@ -691,11 +697,11 @@ function autoupdateApps(updateInfo, callback) { // updateInfo is { appId -> { ma
 }
 
 function canBackupApp(app) {
-    // only backup apps that are installed or pending configure. Rest of them are in some
+    // only backup apps that are installed or pending configure or called from apptask. Rest of them are in some
     // state not good for consistent backup (i.e addons may not have been setup completely)
     return (app.installationState === appdb.ISTATE_INSTALLED && app.health === appdb.HEALTH_HEALTHY) ||
             app.installationState === appdb.ISTATE_PENDING_CONFIGURE ||
-            app.installationState === appdb.ISTATE_PENDING_BACKUP ||
+            app.installationState === appdb.ISTATE_PENDING_BACKUP ||  // called from apptask
             app.installationState === appdb.ISTATE_PENDING_UPDATE; // called from apptask
 }
 
@@ -758,7 +764,8 @@ function backupApp(app, addonsToBackup, callback) {
             manifest: app.manifest,
             location: app.location,
             portBindings: app.portBindings,
-            accessRestriction: app.accessRestriction
+            accessRestriction: app.accessRestriction,
+            oauthProxy: app.oauthProxy
         };
         backupFunction = createNewBackup.bind(null, app, addonsToBackup);
 
@@ -818,4 +825,3 @@ function restoreApp(app, addonsToRestore, callback) {
         });
     });
 }
-

src/apptask.js

@@ -51,6 +51,7 @@ var addons = require('./addons.js'),
     path = require('path'),
     paths = require('./paths.js'),
     safe = require('safetydance'),
+    semver = require('semver'),
     shell = require('./shell.js'),
     SubdomainError = require('./subdomainerror.js'),
     subdomains = require('./subdomains.js'),
@@ -79,6 +80,14 @@ function debugApp(app, args) {
     debug(prefix + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
 }
 
+function targetBoxVersion(manifest) {
+    if ('targetBoxVersion' in manifest) return manifest.targetBoxVersion;
+
+    if ('minBoxVersion' in manifest) return manifest.minBoxVersion;
+
+    return '0.0.1';
+}
+
 // We expect conflicts to not happen despite closing the port (parallel app installs, app update does not reconfigure nginx etc)
 // https://tools.ietf.org/html/rfc6056#section-3.5 says linux uses random ephemeral port allocation
 function getFreePort(callback) {
@@ -100,7 +109,7 @@ function configureNginx(app, callback) {
         if (error) return callback(error);
 
         var sourceDir = path.resolve(__dirname, '..');
-        var endpoint = app.accessRestriction ? 'oauthproxy' : 'app';
+        var endpoint = app.oauthProxy ? 'oauthproxy' : 'app';
         var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, { sourceDir: sourceDir, adminOrigin: config.adminOrigin(), vhost: config.appFqdn(app.location), port: freePort, endpoint: endpoint });
 
         var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
@@ -132,23 +141,21 @@ function unconfigureNginx(app, callback) {
     vbox.unforwardFromHostToVirtualBox(app.id + '-http');
 }
 
-function downloadImage(app, callback) {
-    debugApp(app, 'downloadImage %s', app.manifest.dockerImage);
-
+function pullImage(app, callback) {
     docker.pull(app.manifest.dockerImage, function (err, stream) {
-        if (err) return callback(new Error('Error connecting to docker'));
+        if (err) return callback(new Error('Error connecting to docker. statusCode: %s' + err.statusCode));
 
         // https://github.com/dotcloud/docker/issues/1074 says each status message
         // is emitted as a chunk
         stream.on('data', function (chunk) {
             var data = safe.JSON.parse(chunk) || { };
-            debugApp(app, 'downloadImage data: %j', data);
+            debugApp(app, 'pullImage data: %j', data);
 
             // The information here is useless because this is per layer as opposed to per image
             if (data.status) {
-                debugApp(app, 'progress: %s', data.status); // progressDetail { current, total }
+                // debugApp(app, 'progress: %s', data.status); // progressDetail { current, total }
             } else if (data.error) {
-                debugApp(app, 'error detail: %s', data.errorDetail.message);
+                debugApp(app, 'pullImage error detail: %s', data.errorDetail.message);
             }
         });
 
@@ -158,25 +165,40 @@ function downloadImage(app, callback) {
             var image = docker.getImage(app.manifest.dockerImage);
 
             image.inspect(function (err, data) {
-                if (err) {
-                    return callback(new Error('Error inspecting image:' + err.message));
-                }
-
-                if (!data || !data.Config) {
-                    return callback(new Error('Missing Config in image:' + JSON.stringify(data, null, 4)));
-                }
-
-                if (!data.Config.Entrypoint && !data.Config.Cmd) {
-                    return callback(new Error('Only images with entry point are allowed'));
-                }
+                if (err) return callback(new Error('Error inspecting image:' + err.message));
+                if (!data || !data.Config) return callback(new Error('Missing Config in image:' + JSON.stringify(data, null, 4)));
+                if (!data.Config.Entrypoint && !data.Config.Cmd) return callback(new Error('Only images with entry point are allowed'));
 
                 debugApp(app, 'This image exposes ports: %j', data.Config.ExposedPorts);
-                return callback(null);
+
+                callback(null);
             });
         });
+
+        stream.on('error', function (error) {
+            debugApp(app, 'pullImage error : %j', error);
+
+            callback(error);
+        });
     });
 }
 
+function downloadImage(app, callback) {
+    debugApp(app, 'downloadImage %s', app.manifest.dockerImage);
+
+    var attempt = 1;
+
+    async.retry({ times: 5, interval: 15000 }, function (retryCallback) {
+        debugApp(app, 'Downloading image. attempt: %s', attempt++);
+
+        pullImage(app, function (error) {
+            if (error) console.error(error);
+
+            retryCallback(error);
+        });
+    }, callback);
+}
+
 function createContainer(app, callback) {
     appdb.getPortBindings(app.id, function (error, portBindings) {
         if (error) return callback(error);
@@ -210,7 +232,12 @@ function createContainer(app, callback) {
                 Image: app.manifest.dockerImage,
                 Cmd: null,
                 Env: env.concat(addonEnv),
-                ExposedPorts: exposedPorts
+                ExposedPorts: exposedPorts,
+                Volumes: { // see also ReadonlyRootfs
+                    '/tmp': {},
+                    '/run': {},
+                    '/var/log': {}
+                }
             };
 
             debugApp(app, 'Creating container for %s', app.manifest.dockerImage);
@@ -231,7 +258,7 @@ function deleteContainer(app, callback) {
 
     var removeOptions = {
         force: true, // kill container if it's running
-        v: false // removes volumes associated with the container
+        v: true // removes volumes associated with the container (but not host mounts)
     };
 
     container.remove(removeOptions, function (error) {
@@ -280,13 +307,13 @@ function allocateOAuthProxyCredentials(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    if (!app.accessRestriction) return callback(null);
+    if (!app.oauthProxy) return callback(null);
 
     var appId = 'proxy-' + app.id;
     var id = 'cid-proxy-' + uuid.v4();
     var clientSecret = hat(256);
     var redirectURI = 'https://' + config.appFqdn(app.location);
-    var scope = 'profile,' + app.accessRestriction;
+    var scope = 'profile,roleUser';
 
     clientdb.add(id, appId, clientSecret, redirectURI, scope, callback);
 }
@@ -347,6 +374,7 @@ function startContainer(app, callback) {
             MemorySwap: memoryLimit, // Memory + Swap
             PortBindings: dockerPortBindings,
             PublishAllPorts: false,
+            ReadonlyRootfs: semver.gte(targetBoxVersion(app.manifest), '0.0.66'), // see also Volumes in startContainer
             Links: addons.getLinksSync(app, app.manifest.addons),
             RestartPolicy: {
                 "Name": "always",
@@ -506,7 +534,7 @@ function waitForDnsPropagation(app, callback) {
 
 // updates the app object and the database
 function updateApp(app, values, callback) {
-    debugApp(app, 'installationState: %s progress: %s', app.installationState, app.installationProgress);
+    debugApp(app, 'updating app with values: %j', values);
 
     appdb.update(app.id, values, function (error) {
         if (error) return callback(error);
@@ -691,8 +719,8 @@ function configure(app, callback) {
         stopApp.bind(null, app),
         deleteContainer.bind(null, app),
         function (next) {
-            // oldConfig can be null during an infra update. location can be null when infra updated for an updated app
-            if (!app.oldConfig || !app.oldConfig.location || app.oldConfig.location === app.location) return next();
+            // oldConfig can be null during an infra update
+            if (!app.oldConfig || app.oldConfig.location === app.location) return next();
             unregisterSubdomain(app, app.oldConfig.location, next);
         },
         removeOAuthProxyCredentials.bind(null, app),
@@ -842,10 +870,7 @@ function uninstall(app, callback) {
 
 function runApp(app, callback) {
     startContainer(app, function (error) {
-        if (error) {
-            debugApp(app, 'Error starting container : %s', error);
-            return updateApp(app, { runState: appdb.RSTATE_ERROR }, callback);
-        }
+        if (error) return callback(error);
 
         updateApp(app, { runState: appdb.RSTATE_RUNNING }, callback);
     });

src/caas.js

@@ -65,6 +65,7 @@ function delSubdomain(zoneName, subdomain, type, value, callback) {
         .end(function (error, result) {
             if (error) return callback(error);
             if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.status === 404) return callback(new SubdomainError(SubdomainError.NOT_FOUND));
             if (result.status !== 204) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
 
             return callback(null);

src/config.js

@@ -75,6 +75,7 @@ function initConfig() {
     data.internalPort = 3001;
     data.ldapPort = 3002;
     data.oauthProxyPort = 3003;
+    data.simpleAuthPort = 3004;
     data.backupKey = 'backupKey';
     data.aws = {
         backupBucket: null,

src/mailer.js

@@ -87,13 +87,13 @@ function processQueue() {
 
         var transport = nodemailer.createTransport(smtpTransport({
             host: mailServerIp,
-            port: 25
+            port: 2500 // this value comes from mail container
         }));
 
         var mailQueueCopy = gMailQueue;
         gMailQueue = [ ];
 
-        debug('Processing mail queue of size %d', mailQueueCopy.length);
+        debug('Processing mail queue of size %d (through %s:2500)', mailQueueCopy.length, mailServerIp);
 
         async.mapSeries(mailQueueCopy, function iterator(mailOptions, callback) {
             transport.sendMail(mailOptions, function (error) {

src/oauth2views/dialog.ejs

@@ -1,38 +0,0 @@
-<% include header %>
-
-<form action="/api/v1/oauth/dialog/authorize/decision" method="post">
-  <input name="transaction_id" type="hidden" value="<%= transactionID %>">
-  <input type="hidden" name="_csrf" value="<%= csrf %>"/>
-
-  <div class="row">
-    <div class="col-md-3"></div>
-    <div class="col-md-6">
-      <div class="container-fluid">
-        <div class="row">
-          <div class="col-sm-12">
-            Hi <%= user.username %>!
-          </div>
-        </div>
-        <div class="row">
-          <div class="col-sm-12">
-            <b><%= client.name %></b> is requesting access to your account.
-          </div>
-        </div>
-        <div class="row">
-          <div class="col-sm-12">
-            Do you approve?
-          </div>
-        </div>
-        <div class="row">
-          <div class="col-sm-12">
-            <input class="btn btn-danger btn-outline" type="submit" value="Deny" name="cancel" id="deny"/>
-            <input class="btn btn-success btn-outline" type="submit" value="Allow"/>
-          </div>
-        </div>
-      </div>
-    </div>
-    <div class="col-md-3"></div>
-  </div>
-</form>
-
-<% include footer %>

src/oauth2views/header.ejs

@@ -26,3 +26,13 @@
 </head>
 
 <body class="oauth">
+
+    <!-- Navigation -->
+    <nav class="navbar navbar-default navbar-static-top shadow" role="navigation" style="margin-bottom: 0">
+        <div class="container-fluid">
+            <div class="navbar-header">
+                <span class="navbar-brand navbar-brand-icon"><img src="/api/v1/cloudron/avatar" width="40" height="40"/></span>
+                <span class="navbar-brand"><%= cloudronName %></span>
+            </div>
+        </div>
+    </nav>

src/oauth2views/login.ejs

@@ -7,7 +7,7 @@
                 <div class="row">
                     <div class="col-md-12" style="text-align: center;">
                         <img width="128" height="128" src="<%= applicationLogo %>"/>
-                        <h1>Login to <%= applicationName %> on <%= cloudronName %></h1>
+                        <h1><small>Login to</small> <%= applicationName %></h1>
                         <br/>
                     </div>
                 </div>

src/routes/apps.js

@@ -43,6 +43,7 @@ function removeInternalAppFields(app) {
         health: app.health,
         location: app.location,
         accessRestriction: app.accessRestriction,
+        oauthProxy: app.oauthProxy,
         lastBackupId: app.lastBackupId,
         manifest: app.manifest,
         portBindings: app.portBindings,
@@ -114,14 +115,15 @@ function installApp(req, res, next) {
     if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required'));
     if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
     if (typeof data.accessRestriction !== 'string') return next(new HttpError(400, 'accessRestriction is required'));
+    if (typeof data.oauthProxy !== 'boolean') return next(new HttpError(400, 'oauthProxy must be a boolean'));
     if ('icon' in data && typeof data.icon !== 'string') return next(new HttpError(400, 'icon is not a string'));
 
     // allow tests to provide an appId for testing
     var appId = (process.env.BOX_ENV === 'test' && typeof data.appId === 'string') ? data.appId : uuid.v4();
 
-    debug('Installing app id:%s storeid:%s loc:%s port:%j restrict:%s manifest:%j', appId, data.appStoreId, data.location, data.portBindings, data.accessRestriction, data.manifest);
+    debug('Installing app id:%s storeid:%s loc:%s port:%j restrict:%s oauthproxy:%s manifest:%j', appId, data.appStoreId, data.location, data.portBindings, data.accessRestriction, data.oauthProxy, data.manifest);
 
-    apps.install(appId, data.appStoreId, data.manifest, data.location, data.portBindings || null, data.accessRestriction, data.icon || null, function (error) {
+    apps.install(appId, data.appStoreId, data.manifest, data.location, data.portBindings || null, data.accessRestriction, data.oauthProxy, data.icon || null, function (error) {
         if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
         if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.'));
         if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));
@@ -150,10 +152,11 @@ function configureApp(req, res, next) {
     if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required'));
     if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
     if (typeof data.accessRestriction !== 'string') return next(new HttpError(400, 'accessRestriction is required'));
+    if (typeof data.oauthProxy !== 'boolean') return next(new HttpError(400, 'oauthProxy must be a boolean'));
 
     debug('Configuring app id:%s location:%s bindings:%j', req.params.id, data.location, data.portBindings);
 
-    apps.configure(req.params.id, data.location, data.portBindings || null, data.accessRestriction, function (error) {
+    apps.configure(req.params.id, data.location, data.portBindings || null, data.accessRestriction, data.oauthProxy, function (error) {
         if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
         if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.'));
         if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));

src/routes/oauth2.js

@@ -148,6 +148,21 @@ session.ensureLoggedIn = function (redirectTo) {
     };
 };
 
+function renderTemplate(res, template, data) {
+    assert.strictEqual(typeof res, 'object');
+    assert.strictEqual(typeof template, 'string');
+    assert.strictEqual(typeof data, 'object');
+
+    settings.getCloudronName(function (error, cloudronName) {
+        if (error) console.error(error);
+
+        // amend details which the header expects
+        data.cloudronName = cloudronName || 'Cloudron';
+
+        res.render(template, data);
+    });
+}
+
 function sendErrorPageOrRedirect(req, res, message) {
     assert.strictEqual(typeof req, 'object');
     assert.strictEqual(typeof res, 'object');
@@ -156,16 +171,19 @@ function sendErrorPageOrRedirect(req, res, message) {
     debug('sendErrorPageOrRedirect: returnTo "%s".', req.query.returnTo, message);
 
     if (typeof req.query.returnTo !== 'string') {
-        res.render('error', {
+        renderTemplate(res, 'error', {
             adminOrigin: config.adminOrigin(),
             message: message
         });
     } else {
         var u = url.parse(req.query.returnTo);
-        if (!u.protocol || !u.host) return res.render('error', {
-            adminOrigin: config.adminOrigin(),
-            message: 'Invalid request. returnTo query is not a valid URI. ' + message
-        });
+        if (!u.protocol || !u.host) {
+            renderTemplate(res, 'error', {
+                adminOrigin: config.adminOrigin(),
+                message: 'Invalid request. returnTo query is not a valid URI. ' + message
+            });
+            return;
+        }
 
         res.redirect(util.format('%s//%s', u.protocol, u.host));
     }
@@ -178,7 +196,7 @@ function sendError(req, res, message) {
     assert.strictEqual(typeof res, 'object');
     assert.strictEqual(typeof message, 'string');
 
-    res.render('error', {
+    renderTemplate(res, 'error', {
         adminOrigin: config.adminOrigin(),
         message: message
     });
@@ -191,47 +209,40 @@ function loginForm(req, res) {
     var u = url.parse(req.session.returnTo, true);
     if (!u.query.client_id) return sendErrorPageOrRedirect(req, res, 'Invalid login request. No client_id provided.');
 
-    var cloudronName = '';
-
     function render(applicationName, applicationLogo) {
-        res.render('login', {
+        renderTemplate(res, 'login', {
             adminOrigin: config.adminOrigin(),
             csrf: req.csrfToken(),
-            cloudronName: cloudronName,
             applicationName: applicationName,
             applicationLogo: applicationLogo,
             error: req.query.error || null
         });
     }
 
-    settings.getCloudronName(function (error, name) {
-        if (error) return sendError(req, res, 'Internal Error');
+    clientdb.get(u.query.client_id, function (error, result) {
+        if (error) return sendError(req, res, 'Unknown OAuth client');
 
-        cloudronName = name;
+        // Handle our different types of oauth clients
+        var appId = result.appId;
+        if (appId === constants.ADMIN_CLIENT_ID) {
+            return render(constants.ADMIN_NAME, '/api/v1/cloudron/avatar');
+        } else if (appId === constants.TEST_CLIENT_ID) {
+            return render(constants.TEST_NAME, '/api/v1/cloudron/avatar');
+        } else if (appId.indexOf('external-') === 0) {
+            return render('External Application', '/api/v1/cloudron/avatar');
+        } else if (appId.indexOf('addon-oauth-') === 0) {
+            appId = appId.slice('addon-oauth-'.length);
+        } else if (appId.indexOf('addon-simpleauth-') === 0) {
+            appId = appId.slice('addon-simpleauth-'.length);
+        } else if (appId.indexOf('proxy-') === 0) {
+            appId = appId.slice('proxy-'.length);
+        }
 
-        clientdb.get(u.query.client_id, function (error, result) {
-            if (error) return sendError(req, res, 'Unknown OAuth client');
+        appdb.get(appId, function (error, result) {
+            if (error) return sendErrorPageOrRedirect(req, res, 'Unknown Application for those OAuth credentials');
 
-            // Handle our different types of oauth clients
-            var appId = result.appId;
-            if (appId === constants.ADMIN_CLIENT_ID) {
-                return render(constants.ADMIN_NAME, '/api/v1/cloudron/avatar');
-            } else if (appId === constants.TEST_CLIENT_ID) {
-                return render(constants.TEST_NAME, '/api/v1/cloudron/avatar');
-            } else if (appId.indexOf('external-') === 0) {
-                return render('External Application', '/api/v1/cloudron/avatar');
-            } else if (appId.indexOf('addon-') === 0) {
-                appId = appId.slice('addon-'.length);
-            } else if (appId.indexOf('proxy-') === 0) {
-                appId = appId.slice('proxy-'.length);
-            }
-
-            appdb.get(appId, function (error, result) {
-                if (error) return sendErrorPageOrRedirect(req, res, 'Unknown Application for those OAuth credentials');
-
-                var applicationName = result.location || config.fqdn();
-                render(applicationName, '/api/v1/cloudron/avatar');
-            });
+            var applicationName = result.location || config.fqdn();
+            render(applicationName, '/api/v1/apps/' + result.id + '/icon');
         });
     });
 }
@@ -259,7 +270,7 @@ function logout(req, res) {
 // Form to enter email address to send a password reset request mail
 // -> GET /api/v1/session/password/resetRequest.html
 function passwordResetRequestSite(req, res) {
-    res.render('password_reset_request', { adminOrigin: config.adminOrigin(), csrf: req.csrfToken() });
+    renderTemplate(res, 'password_reset_request', { adminOrigin: config.adminOrigin(), csrf: req.csrfToken() });
 }
 
 // This route is used for above form submission
@@ -283,7 +294,7 @@ function passwordResetRequest(req, res, next) {
 
 // -> GET /api/v1/session/password/sent.html
 function passwordSentSite(req, res) {
-    res.render('password_reset_sent', { adminOrigin: config.adminOrigin() });
+    renderTemplate(res, 'password_reset_sent', { adminOrigin: config.adminOrigin() });
 }
 
 // -> GET /api/v1/session/password/setup.html
@@ -295,7 +306,12 @@ function passwordSetupSite(req, res, next) {
     user.getByResetToken(req.query.reset_token, function (error, user) {
         if (error) return next(new HttpError(401, 'Invalid reset_token'));
 
-        res.render('password_setup', { adminOrigin: config.adminOrigin(), user: user, csrf: req.csrfToken(), resetToken: req.query.reset_token });
+        renderTemplate(res, 'password_setup', {
+            adminOrigin: config.adminOrigin(),
+            user: user,
+            csrf: req.csrfToken(),
+            resetToken: req.query.reset_token
+        });
     });
 }
 
@@ -308,7 +324,12 @@ function passwordResetSite(req, res, next) {
     user.getByResetToken(req.query.reset_token, function (error, user) {
         if (error) return next(new HttpError(401, 'Invalid reset_token'));
 
-        res.render('password_reset', { adminOrigin: config.adminOrigin(), user: user, csrf: req.csrfToken(), resetToken: req.query.reset_token });
+        renderTemplate(res, 'password_reset', {
+            adminOrigin: config.adminOrigin(),
+            user: user,
+            csrf: req.csrfToken(),
+            resetToken: req.query.reset_token
+        });
     });
 }
 
@@ -343,7 +364,7 @@ var callback = [
     session.ensureLoggedIn('/api/v1/session/login'),
     function (req, res) {
         debug('callback: with callback server ' + req.query.redirectURI);
-        res.render('callback', { adminOrigin: config.adminOrigin(), callbackServer: req.query.redirectURI });
+        renderTemplate(res, 'callback', { adminOrigin: config.adminOrigin(), callbackServer: req.query.redirectURI });
     }
 ];
 
@@ -400,35 +421,11 @@ var authorization = [
             callback(null, client, '/api/v1/session/callback?redirectURI=' + url.resolve(redirectOrigin, redirectPath));
         });
     }),
-    // Until we have OAuth scopes, skip decision dialog
-    // OAuth sopes skip START
-    function (req, res, next) {
-        assert.strictEqual(typeof req.body, 'object');
-        assert.strictEqual(typeof req.oauth2, 'object');
-
-        var scopes = req.oauth2.client.scope ? req.oauth2.client.scope.split(',') : ['profile','roleUser'];
-
-        if (scopes.indexOf('roleAdmin') !== -1 && !req.user.admin) {
-            return sendErrorPageOrRedirect(req, res, 'Admin capabilities required');
-        }
-
-        req.body.transaction_id = req.oauth2.transactionID;
-        next();
-    },
-    gServer.decision(function(req, done) {
-        debug('decision: with scope', req.oauth2.req.scope);
-        return done(null, { scope: req.oauth2.req.scope });
+    // we do not have a decision dialog, no need to load the transaction
+    gServer.decision({ loadTransaction: false }, function (req, done) {
+        debug('decision: with scope', req.oauth2.client.scope);
+        return done(null, { scope: req.oauth2.client.scope });
     })
-    // OAuth sopes skip END
-    // function (req, res) {
-    //     res.render('dialog', { transactionID: req.oauth2.transactionID, user: req.user, client: req.oauth2.client, csrf: req.csrfToken() });
-    // }
-];
-
-// this triggers the above grant middleware and handles the user's decision if he accepts the access
-var decision = [
-    session.ensureLoggedIn('/api/v1/session/login'),
-    gServer.decision()
 ];
 
 
@@ -509,7 +506,6 @@ exports = module.exports = {
     passwordSetupSite: passwordSetupSite,
     passwordReset: passwordReset,
     authorization: authorization,
-    decision: decision,
     token: token,
     scope: scope,
     csrf: csrf

src/routes/test/apps-test.js

@@ -40,12 +40,17 @@ var appdb = require('../../appdb.js'),
 
 var SERVER_URL = 'http://localhost:' + config.get('port');
 
+// Test image information
+var TEST_IMAGE_REPO = 'cloudron/test';
+var TEST_IMAGE_TAG = '6.0.0';
+var TEST_IMAGE_ID = '7a53b21358cd7b014d29ee85f16ac535c37c11fb1f4c124197941236eb4d7c64';
+
 var APP_STORE_ID = 'test', APP_ID;
 var APP_LOCATION = 'appslocation';
 var APP_LOCATION_2 = 'appslocationtwo';
 var APP_LOCATION_NEW = 'appslocationnew';
 var APP_MANIFEST = JSON.parse(fs.readFileSync(__dirname + '/../../../../test-app/CloudronManifest.json', 'utf8'));
-APP_MANIFEST.dockerImage = 'girish/test:0.2.0';
+APP_MANIFEST.dockerImage = TEST_IMAGE_REPO + ':' + TEST_IMAGE_TAG;
 var USERNAME = 'admin', PASSWORD = 'password', EMAIL ='admin@me.com';
 var USERNAME_1 = 'user', PASSWORD_1 = 'password', EMAIL_1 ='user@me.com';
 var token = null; // authentication token
@@ -152,7 +157,7 @@ function cleanup(done) {
 
         function (callback) { setTimeout(callback, 2000); }, // give taskmanager tasks couple of seconds to finish
 
-        child_process.exec.bind(null, 'docker rm -f mysql; docker rm -f postgresql; docker rm -f mongodb')
+        child_process.exec.bind(null, 'docker rm -f mysql; docker rm -f postgresql; docker rm -f mongodb; docker rm -f mail')
     ], done);
 }
 
@@ -162,7 +167,7 @@ describe('App API', function () {
 
     before(function (done) {
         dockerProxy = startDockerProxy(function interceptor(req, res) {
-            if (req.method === 'DELETE' && req.url === '/images/c7ddfc8fb7cd8a14d4d70153a199ff0c6e9b709807aeec5a7b799d60618731d1?force=true&noprune=false') {
+            if (req.method === 'DELETE' && req.url === '/images/' + TEST_IMAGE_ID + '?force=true&noprune=false') {
                 res.writeHead(200);
                 res.end();
                 return true;
@@ -216,7 +221,7 @@ describe('App API', function () {
     it('app install fails - invalid location', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: '!awesome', accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: '!awesome', accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('Hostname can only contain alphanumerics and hyphen');
@@ -227,7 +232,7 @@ describe('App API', function () {
     it('app install fails - invalid location type', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: 42, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: 42, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('location is required');
@@ -238,7 +243,7 @@ describe('App API', function () {
     it('app install fails - reserved admin location', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.ADMIN_LOCATION, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.ADMIN_LOCATION, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql(constants.ADMIN_LOCATION + ' is reserved');
@@ -249,7 +254,7 @@ describe('App API', function () {
     it('app install fails - reserved api location', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.API_LOCATION, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.API_LOCATION, accessRestriction: '', oauthProxy: true })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql(constants.API_LOCATION + ' is reserved');
@@ -260,7 +265,7 @@ describe('App API', function () {
     it('app install fails - portBindings must be object', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: 23, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: 23, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('portBindings must be an object');
@@ -271,7 +276,7 @@ describe('App API', function () {
     it('app install fails - accessRestriction is required', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {} })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             expect(res.body.message).to.eql('accessRestriction is required');
@@ -279,10 +284,21 @@ describe('App API', function () {
         });
     });
 
+    it('app install fails - oauthProxy is required', function (done) {
+        request.post(SERVER_URL + '/api/v1/apps/install')
+               .query({ access_token: token })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: '' })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            expect(res.body.message).to.eql('oauthProxy must be a boolean');
+            done(err);
+        });
+    });
+
     it('app install fails for non admin', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token_1 })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
             done(err);
@@ -294,7 +310,7 @@ describe('App API', function () {
 
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(402);
             expect(fake.isDone()).to.be.ok();
@@ -307,7 +323,7 @@ describe('App API', function () {
 
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
             expect(res.body.id).to.be.a('string');
@@ -322,7 +338,7 @@ describe('App API', function () {
 
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(409);
             expect(fake.isDone()).to.be.ok();
@@ -446,7 +462,7 @@ describe('App API', function () {
 
         request.post(SERVER_URL + '/api/v1/apps/install')
                .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION_2, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION_2, portBindings: null, accessRestriction: '', oauthProxy: false })
                .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
             expect(res.body.id).to.be.a('string');
@@ -475,7 +491,7 @@ describe('App API', function () {
 
                 request.post(SERVER_URL + '/api/v1/apps/install')
                        .query({ access_token: token })
-                       .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, location: APP_LOCATION+APP_LOCATION, portBindings: null, accessRestriction: '' })
+                       .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, location: APP_LOCATION+APP_LOCATION, portBindings: null, accessRestriction: '', oauthProxy: false })
                        .end(function (err, res) {
                     expect(res.statusCode).to.equal(202);
                     expect(res.body.id).to.be.a('string');
@@ -510,12 +526,12 @@ describe('App installation', function () {
         async.series([
             function (callback) {
                 dockerProxy = startDockerProxy(function interceptor(req, res) {
-                    if (req.method === 'POST' && req.url === '/images/create?fromImage=girish%2Ftest&tag=0.2.0') {
+                    if (req.method === 'POST' && req.url === '/images/create?fromImage=' + encodeURIComponent(TEST_IMAGE_REPO) + '&tag=' + TEST_IMAGE_TAG) {
                         imageCreated = true;
                         res.writeHead(200);
                         res.end();
                         return true;
-                    } else if (req.method === 'DELETE' && req.url === '/images/c7ddfc8fb7cd8a14d4d70153a199ff0c6e9b709807aeec5a7b799d60618731d1?force=true&noprune=false') {
+                    } else if (req.method === 'DELETE' && req.url === '/images/' + TEST_IMAGE_ID + '?force=true&noprune=false') {
                         imageDeleted = true;
                         res.writeHead(200);
                         res.end();
@@ -586,7 +602,7 @@ describe('App installation', function () {
 
         request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '', oauthProxy: false })
               .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
             expect(fake.isDone()).to.be.ok();
@@ -618,9 +634,9 @@ describe('App installation', function () {
             expect(data.Config.Env).to.contain('WEBADMIN_ORIGIN=' + config.adminOrigin());
             expect(data.Config.Env).to.contain('API_ORIGIN=' + config.adminOrigin());
             expect(data.Config.Env).to.contain('CLOUDRON=1');
-            clientdb.getByAppId('addon-' + appResult.id, function (error, client) {
+            clientdb.getByAppId('addon-oauth-' + appResult.id, function (error, client) {
                 expect(error).to.not.be.ok();
-                expect(client.id.length).to.be(46); // cid-addon- + 32 hex chars (128 bits) + 4 hyphens
+                expect(client.id.length).to.be(52); // cid-addon-oauth- + 32 hex chars (128 bits) + 4 hyphens
                 expect(client.clientSecret.length).to.be(64); // 32 hex chars (256 bits)
                 expect(data.Config.Env).to.contain('OAUTH_CLIENT_ID=' + client.id);
                 expect(data.Config.Env).to.contain('OAUTH_CLIENT_SECRET=' + client.clientSecret);
@@ -659,7 +675,14 @@ describe('App installation', function () {
     it('installation - running container has volume mounted', function (done) {
         docker.getContainer(appEntry.containerId).inspect(function (error, data) {
             expect(error).to.not.be.ok();
-            expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+
+            // support newer docker versions
+            if (data.Volumes) {
+                expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            } else {
+                expect(data.Mounts.filter(function (mount) { return mount.Destination === '/app/data'; })[0].Source).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            }
+
             done();
         });
     });
@@ -735,7 +758,7 @@ describe('App installation', function () {
             child_process.exec('docker exec ' + appContainer.id + ' ' + cmd, { timeout: 5000 }, function (error, stdout, stderr) {
                 expect(!error).to.be.ok();
                 expect(stdout.length).to.be(0);
-                expect(stderr.length).to.be(0);
+                // expect(stderr.length).to.be(0); // "Warning: Using a password on the command line interface can be insecure."
                 done();
             });
         });
@@ -959,12 +982,12 @@ describe('App installation - port bindings', function () {
         async.series([
             function (callback) {
                 dockerProxy = startDockerProxy(function interceptor(req, res) {
-                    if (req.method === 'POST' && req.url === '/images/create?fromImage=girish%2Ftest&tag=0.2.0') {
+                    if (req.method === 'POST' && req.url === '/images/create?fromImage=' + encodeURIComponent(TEST_IMAGE_REPO) + '&tag=' + TEST_IMAGE_TAG) {
                         imageCreated = true;
                         res.writeHead(200);
                         res.end();
                         return true;
-                    } else if (req.method === 'DELETE' && req.url === '/images/c7ddfc8fb7cd8a14d4d70153a199ff0c6e9b709807aeec5a7b799d60618731d1?force=true&noprune=false') {
+                    } else if (req.method === 'DELETE' && req.url === '/images/' + TEST_IMAGE_ID + '?force=true&noprune=false') {
                         imageDeleted = true;
                         res.writeHead(200);
                         res.end();
@@ -1034,7 +1057,7 @@ describe('App installation - port bindings', function () {
 
         request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: { ECHO_SERVER_PORT: 7171 }, accessRestriction: '' })
+              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: { ECHO_SERVER_PORT: 7171 }, accessRestriction: '', oauthProxy: false })
               .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
             expect(fake.isDone()).to.be.ok();
@@ -1114,7 +1137,14 @@ describe('App installation - port bindings', function () {
     it('installation - running container has volume mounted', function (done) {
         docker.getContainer(appEntry.containerId).inspect(function (error, data) {
             expect(error).to.not.be.ok();
-            expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+
+            // support newer docker versions
+            if (data.Volumes) {
+                expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            } else {
+                expect(data.Mounts.filter(function (mount) { return mount.Destination === '/app/data'; })[0].Source).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            }
+
             done();
         });
     });
@@ -1188,7 +1218,7 @@ describe('App installation - port bindings', function () {
     it('cannot reconfigure app with missing location', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
-              .send({ appId: APP_ID, password: PASSWORD, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin' })
+              .send({ appId: APP_ID, password: PASSWORD, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin', oauthProxy: true })
               .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             done();
@@ -1198,7 +1228,17 @@ describe('App installation - port bindings', function () {
     it('cannot reconfigure app with missing accessRestriction', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
-              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 } })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, oauthProxy: false })
+              .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            done();
+        });
+    });
+
+    it('cannot reconfigure app with missing oauthProxy', function (done) {
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+              .query({ access_token: token })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: '' })
               .end(function (err, res) {
             expect(res.statusCode).to.equal(400);
             done();
@@ -1208,7 +1248,7 @@ describe('App installation - port bindings', function () {
     it('non admin cannot reconfigure app', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token_1 })
-              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin' })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin', oauthProxy: true })
               .end(function (err, res) {
             expect(res.statusCode).to.equal(403);
             done();
@@ -1218,7 +1258,7 @@ describe('App installation - port bindings', function () {
     it('can reconfigure app', function (done) {
         request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
               .query({ access_token: token })
-              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin' })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: '', oauthProxy: true })
               .end(function (err, res) {
             expect(res.statusCode).to.equal(202);
             checkConfigureStatus(0, done);

src/routes/test/backups-test.js

@@ -51,7 +51,7 @@ function setup(done) {
 
         function addApp(callback) {
             var manifest = { version: '0.0.1', manifestVersion: 1, dockerImage: 'foo', healthCheckPath: '/', httpPort: 3, title: 'ok', addons: { } };
-            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, '' /* accessRestriction */, callback);
+            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, '' /* accessRestriction */, false /* oauthProxy */, callback);
         }
     ], done);
 }

src/routes/test/settings-test.js

@@ -54,7 +54,7 @@ function setup(done) {
 
         function addApp(callback) {
             var manifest = { version: '0.0.1', manifestVersion: 1, dockerImage: 'foo', healthCheckPath: '/', httpPort: 3, title: 'ok' };
-            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, '' /* accessRestriction */, callback);
+            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, '' /* accessRestriction */, false /* oauthProxy */, callback);
         }
     ], done);
 }

src/routes/test/simpleauth-test.js

@@ -0,0 +1,273 @@
+/* jslint node:true */
+/* global it:false */
+/* global describe:false */
+/* global before:false */
+/* global after:false */
+
+'use strict';
+
+var clientdb = require('../../clientdb.js'),
+    async = require('async'),
+    config = require('../../config.js'),
+    database = require('../../database.js'),
+    expect = require('expect.js'),
+    request = require('superagent'),
+    server = require('../../server.js'),
+    simpleauth = require('../../simpleauth.js'),
+    nock = require('nock'),
+    userdb = require('../../userdb.js');
+
+var SERVER_URL = 'http://localhost:' + config.get('port');
+var SIMPLE_AUTH_ORIGIN = 'http://localhost:' + config.get('simpleAuthPort');
+
+var USERNAME = 'admin', PASSWORD = 'password', EMAIL ='silly@me.com';
+var CLIENT = {
+    id: 'someclientid',
+    appId: 'someappid',
+    clientSecret: 'someclientsecret',
+    redirectURI: '',
+    scope: 'user,profile'
+};
+
+var server;
+function setup(done) {
+    async.series([
+        server.start.bind(server),
+        simpleauth.start.bind(simpleauth),
+
+        userdb._clear,
+
+        function createAdmin(callback) {
+            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
+            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
+
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                   .query({ setupToken: 'somesetuptoken' })
+                   .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
+                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
+                expect(result).to.be.ok();
+                expect(result.statusCode).to.eql(201);
+                expect(scope1.isDone()).to.be.ok();
+                expect(scope2.isDone()).to.be.ok();
+
+                callback();
+            });
+        },
+
+        function addClient(callback) {
+            clientdb.add(CLIENT.id, CLIENT.appId, CLIENT.clientSecret, CLIENT.redirectURI, CLIENT.scope, callback);
+        }
+    ], done);
+}
+
+function cleanup(done) {
+    database._clear(function (error) {
+        expect(!error).to.be.ok();
+
+        server.stop(done);
+    });
+}
+
+describe('SimpleAuth API', function () {
+    before(setup);
+    after(cleanup);
+
+    describe('login', function () {
+        it('cannot login without clientId', function (done) {
+            var body = {};
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('cannot login without username', function (done) {
+            var body = {
+                clientId: 'someclientid'
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('cannot login without password', function (done) {
+            var body = {
+                clientId: 'someclientid',
+                username: USERNAME
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('cannot login with unkown clientId', function (done) {
+            var body = {
+                clientId: CLIENT.id+CLIENT.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('cannot login with unkown user', function (done) {
+            var body = {
+                clientId: CLIENT.id,
+                username: USERNAME+USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('cannot login with empty password', function (done) {
+            var body = {
+                clientId: CLIENT.id,
+                username: USERNAME,
+                password: ''
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('cannot login with wrgon password', function (done) {
+            var body = {
+                clientId: CLIENT.id,
+                username: USERNAME,
+                password: PASSWORD+PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('succeeds', function (done) {
+            var body = {
+                clientId: CLIENT.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(200);
+                expect(result.body.accessToken).to.be.a('string');
+                expect(result.body.user).to.be.an('object');
+                expect(result.body.user.id).to.be.a('string');
+                expect(result.body.user.username).to.be.a('string');
+                expect(result.body.user.email).to.be.a('string');
+                expect(result.body.user.admin).to.be.a('boolean');
+
+                request.get(SERVER_URL + '/api/v1/profile')
+                .query({ access_token: result.body.accessToken })
+                .end(function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result.body).to.be.an('object');
+                    expect(result.body.username).to.eql(USERNAME);
+
+                    done();
+                });
+            });
+        });
+    });
+
+    describe('logout', function () {
+        var accessToken;
+
+        before(function (done) {
+            var body = {
+                clientId: CLIENT.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(200);
+
+                accessToken = result.body.accessToken;
+
+                done();
+            });
+        });
+
+        it('fails without access_token', function (done) {
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('fails with unkonwn access_token', function (done) {
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            .query({ access_token: accessToken+accessToken })
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('succeeds', function (done) {
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            .query({ access_token: accessToken })
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(200);
+
+                request.get(SERVER_URL + '/api/v1/profile')
+                .query({ access_token: accessToken })
+                .end(function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result.statusCode).to.equal(401);
+
+                    done();
+                });
+            });
+        });
+    });
+});

src/routes/test/start_addons.sh

@@ -14,7 +14,7 @@ root_password=secret
 start_postgresql() {
     postgresql_vars="POSTGRESQL_ROOT_PASSWORD=${root_password}; POSTGRESQL_ROOT_HOST=172.17.0.0/255.255.0.0"
 
-    if which boot2docker >/dev/null; then
+    if which boot2docker >/dev/null 2>&1; then
         boot2docker ssh "sudo rm -rf /tmp/postgresql_vars.sh"
         boot2docker ssh "echo \"${postgresql_vars}\" > /tmp/postgresql_vars.sh"
     else
@@ -24,13 +24,15 @@ start_postgresql() {
 
     docker rm -f postgresql 2>/dev/null 1>&2 || true
 
-    docker run -dtP --name=postgresql -v "${postgresqldatadir}:/var/lib/postgresql" -v /tmp/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh "${POSTGRESQL_IMAGE}" >/dev/null
+    docker run -dtP --name=postgresql -v "${postgresqldatadir}:/var/lib/postgresql" \
+         --read-only -v /tmp -v /run -v /var/log \
+        -v /tmp/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh "${POSTGRESQL_IMAGE}" >/dev/null
 }
 
 start_mysql() {
     local mysql_vars="MYSQL_ROOT_PASSWORD=${root_password}; MYSQL_ROOT_HOST=172.17.0.0/255.255.0.0"
 
-    if which boot2docker >/dev/null; then
+    if which boot2docker >/dev/null 2>&1; then
         boot2docker ssh "sudo rm -rf /tmp/mysql_vars.sh"
         boot2docker ssh "echo \"${mysql_vars}\" > /tmp/mysql_vars.sh"
     else
@@ -40,13 +42,15 @@ start_mysql() {
 
     docker rm -f mysql 2>/dev/null 1>&2 || true
 
-    docker run -dP --name=mysql -v "${mysqldatadir}:/var/lib/mysql" -v /tmp/mysql_vars.sh:/etc/mysql/mysql_vars.sh "${MYSQL_IMAGE}" >/dev/null
+    docker run -dP --name=mysql -v "${mysqldatadir}:/var/lib/mysql" \
+        --read-only -v /tmp -v /run -v /var/log \
+        -v /tmp/mysql_vars.sh:/etc/mysql/mysql_vars.sh "${MYSQL_IMAGE}" >/dev/null
 }
 
 start_mongodb() {
     local mongodb_vars="MONGODB_ROOT_PASSWORD=${root_password}"
 
-    if which boot2docker >/dev/null; then
+    if which boot2docker >/dev/null 2>&1; then
         boot2docker ssh "sudo rm -rf /tmp/mongodb_vars.sh"
         boot2docker ssh "echo \"${mongodb_vars}\" > /tmp/mongodb_vars.sh"
     else
@@ -56,16 +60,29 @@ start_mongodb() {
 
     docker rm -f mongodb 2>/dev/null 1>&2 || true
 
-    docker run -dP --name=mongodb -v "${mongodbdatadir}:/var/lib/mongodb" -v /tmp/mongodb_vars.sh:/etc/mongodb_vars.sh "${MONGODB_IMAGE}" >/dev/null
+    docker run -dP --name=mongodb -v "${mongodbdatadir}:/var/lib/mongodb" \
+        --read-only -v /tmp -v /run -v /var/log \
+        -v /tmp/mongodb_vars.sh:/etc/mongodb_vars.sh "${MONGODB_IMAGE}" >/dev/null
+}
+
+start_mail() {
+    local mongodb_vars="MONGODB_ROOT_PASSWORD=${root_password}"
+
+    docker rm -f mail 2>/dev/null 1>&2 || true
+
+    docker run -dP --name=mail -e DOMAIN_NAME="localhost" \
+        --read-only -v /tmp -v /run -v /var/log \
+        -v /tmp/maildata:/app/data "${MAIL_IMAGE}" >/dev/null
 }
 
 start_mysql
 start_postgresql
 start_mongodb
+start_mail
 
 echo -n "Waiting for addons to start"
-for i in {1..10}; do
-   echo -n "."
+for i in {1..20}; do
+    echo -n "."
     sleep 1
 done
 echo ""

src/server.js

@@ -43,11 +43,7 @@ function initializeExpressSync() {
     app.set('view options', { layout: true, debug: true });
     app.set('view engine', 'ejs');
 
-    if (process.env.BOX_ENV === 'test') {
-       app.use(express.static(path.join(__dirname, '/../webadmin')));
-    } else {
-        app.use(middleware.morgan('dev', { immediate: false }));
-    }
+    if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('Box :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
 
     var router = new express.Router();
     router.del = router.delete; // amend router.del for readability further on
@@ -130,7 +126,6 @@ function initializeExpressSync() {
 
     // oauth2 routes
     router.get ('/api/v1/oauth/dialog/authorize', routes.oauth2.authorization);
-    router.post('/api/v1/oauth/dialog/authorize/decision', csrf, routes.oauth2.decision);
     router.post('/api/v1/oauth/token', routes.oauth2.token);
     router.get ('/api/v1/oauth/clients', settingsScope, routes.clients.getAllByUserId);
     router.post('/api/v1/oauth/clients', routes.developer.enabled, settingsScope, routes.clients.add);
@@ -144,7 +139,7 @@ function initializeExpressSync() {
     // app routes
     router.get ('/api/v1/apps',          appsScope, routes.apps.getApps);
     router.get ('/api/v1/apps/:id',      appsScope, routes.apps.getApp);
-    router.get ('/api/v1/apps/:id/icon', appsScope, routes.apps.getAppIcon);
+    router.get ('/api/v1/apps/:id/icon', routes.apps.getAppIcon);
 
     router.post('/api/v1/apps/install',       appsScope, routes.user.requireAdmin, routes.apps.installApp);
     router.post('/api/v1/apps/:id/uninstall', appsScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.apps.uninstallApp);
@@ -210,7 +205,7 @@ function initializeInternalExpressSync() {
     var json = middleware.json({ strict: true, limit: QUERY_LIMIT }), // application/json
         urlencoded = middleware.urlencoded({ extended: false, limit: QUERY_LIMIT }); // application/x-www-form-urlencoded
 
-    app.use(middleware.morgan('dev', { immediate: false }));
+    if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('Box Internal :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
 
     var router = new express.Router();
     router.del = router.delete; // amend router.del for readability further on

src/simpleauth.js

@@ -0,0 +1,140 @@
+'use strict';
+
+exports = module.exports = {
+    start: start,
+    stop: stop
+};
+
+var assert = require('assert'),
+    debug = require('debug')('box:simpleauth'),
+    user = require('./user.js'),
+    tokendb = require('./tokendb.js'),
+    clients = require('./clients.js'),
+    config = require('./config.js'),
+    debug = require('debug')('box:proxy'),
+    middleware = require('./middleware'),
+    express = require('express'),
+    HttpError = require('connect-lastmile').HttpError,
+    HttpSuccess = require('connect-lastmile').HttpSuccess,
+    DatabaseError = require('./databaseerror.js'),
+    UserError = require('./user.js').UserError,
+    http = require('http');
+
+var gHttpServer = null;
+
+function loginLogic(clientId, username, password, callback) {
+    assert.strictEqual(typeof clientId, 'string');
+    assert.strictEqual(typeof username, 'string');
+    assert.strictEqual(typeof password, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('login: client %s and user %s', clientId, username);
+
+    clients.get(clientId, function (error, clientObject) {
+        if (error) return callback(error);
+
+        user.verify(username, password, function (error, userObject) {
+            if (error) return callback(error);
+
+            var accessToken = tokendb.generateToken();
+            var expires = Date.now() + 24 * 60 * 60 * 1000; // 1 day
+
+            tokendb.add(accessToken, tokendb.PREFIX_USER + userObject.id, clientId, expires, clientObject.scope, function (error) {
+                if (error) return callback(error);
+
+                debug('login: new access token for client %s and user %s: %s', clientId, username, accessToken);
+
+                callback(null, { accessToken: accessToken, user: userObject });
+            });
+        });
+    });
+}
+
+function logoutLogic(accessToken, callback) {
+    assert.strictEqual(typeof accessToken, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('logout: %s', accessToken);
+
+    tokendb.del(accessToken, function (error) {
+        if (error) return callback(error);
+        callback(null);
+    });
+}
+
+function login(req, res, next) {
+    assert.strictEqual(typeof req.body, 'object');
+
+    if (typeof req.body.clientId !== 'string') return next(new HttpError(400, 'clientId is required'));
+    if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username is required'));
+    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password is required'));
+
+    loginLogic(req.body.clientId, req.body.username, req.body.password, function (error, result) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return next(new HttpError(401, 'Unknown client'));
+        if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(401, 'Forbidden'));
+        if (error && error.reason === UserError.WRONG_PASSWORD) return next(new HttpError(401, 'Forbidden'));
+        if (error) return next(new HttpError(500, error));
+
+        var tmp = {
+            accessToken: result.accessToken,
+            user: {
+                id: result.user.id,
+                username: result.user.username,
+                email: result.user.email,
+                admin: !!result.user.admin
+            }
+        };
+
+        next(new HttpSuccess(200, tmp));
+    });
+}
+
+function logout(req, res, next) {
+    assert.strictEqual(typeof req.query, 'object');
+
+    if (typeof req.query.access_token !== 'string') return next(new HttpError(400, 'access_token in query required'));
+
+    logoutLogic(req.query.access_token, function (error) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return next(new HttpError(401, 'Forbidden'));
+        if (error) return next(new HttpError(500, error));
+
+        next(new HttpSuccess(200, {}));
+    });
+}
+
+function initializeExpressSync() {
+    var app = express();
+    var httpServer = http.createServer(app);
+
+    httpServer.on('error', console.error);
+
+    var json = middleware.json({ strict: true, limit: '100kb' });
+    var router = new express.Router();
+
+    // basic auth
+    router.post('/api/v1/login', login);
+    router.get ('/api/v1/logout', logout);
+
+    if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('SimpleAuth :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
+
+    app
+        .use(middleware.timeout(10000))
+        .use(json)
+        .use(router)
+        .use(middleware.lastMile());
+
+    return httpServer;
+}
+
+function start(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    gHttpServer = initializeExpressSync();
+    gHttpServer.listen(config.get('simpleAuthPort'), '0.0.0.0', callback);
+}
+
+function stop(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    gHttpServer.close(callback);
+}

src/taskmanager.js

@@ -48,6 +48,8 @@ function uninitialize(callback) {
         stopAppTask(appId);
     }
 
+    locker.removeListener('unlocked', startNextTask);
+
     callback(null);
 }
 

src/test/apps-test.js

@@ -36,14 +36,15 @@ describe('Apps', function () {
         containerId: null,
         portBindings: { PORT: 5678 },
         healthy: null,
-        accessRestriction: ''
+        accessRestriction: '',
+        oauthProxy: false
     };
 
     before(function (done) {
         async.series([
             database.initialize,
             database._clear,
-            appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction)
+            appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, APP_0.oauthProxy)
         ], done);
     });
 

src/test/apptask-test.js

@@ -29,7 +29,7 @@ var MANIFEST = {
   "contactEmail": "support@cloudron.io",
   "version": "0.1.0",
   "manifestVersion": 1,
-  "dockerImage": "girish/test:0.2.0",
+  "dockerImage": "cloudron/test:2.0.0",
   "healthCheckPath": "/",
   "httpPort": 7777,
   "tcpPorts": {
@@ -58,6 +58,7 @@ var APP = {
     httpPort: 4567,
     portBindings: null,
     accessRestriction: '',
+    oauthProxy: false,
     dnsRecordId: 'someDnsRecordId'
 };
 
@@ -81,7 +82,7 @@ describe('apptask', function () {
         config.set('version', '0.5.0');
         database.initialize(function (error) {
             expect(error).to.be(null);
-            appdb.add(APP.id, APP.appStoreId, APP.manifest, APP.location, APP.portBindings, APP.accessRestriction, done);
+            appdb.add(APP.id, APP.appStoreId, APP.manifest, APP.location, APP.portBindings, APP.accessRestriction, APP.oauthProxy, done);
         });
     });
 
@@ -136,21 +137,21 @@ describe('apptask', function () {
     });
 
     it('allocate OAuth credentials', function (done) {
-        addons._allocateOAuthCredentials(APP, function (error) {
+        addons._setupOauth(APP, {}, function (error) {
             expect(error).to.be(null);
             done();
         });
     });
 
     it('remove OAuth credentials', function (done) {
-        addons._removeOAuthCredentials(APP, function (error) {
+        addons._teardownOauth(APP, {}, function (error) {
             expect(error).to.be(null);
             done();
         });
     });
 
     it('remove OAuth credentials twice succeeds', function (done) {
-        addons._removeOAuthCredentials(APP, function (error) {
+        addons._teardownOauth(APP, {}, function (error) {
             expect(!error).to.be.ok();
             done();
         });

src/test/checkInstall

@@ -34,8 +34,8 @@ for script in "${scripts[@]}"; do
     fi
 done
 
-if ! docker inspect girish/test:0.2.0 >/dev/null 2>/dev/null; then
-    echo "docker pull girish/test:0.2.0 for tests to run"
+if ! docker inspect cloudron/test:3.0.0 >/dev/null 2>/dev/null; then
+    echo "docker pull cloudron/test:3.0.0 for tests to run"
     exit 1
 fi
 

src/test/database-test.js

@@ -479,6 +479,7 @@ describe('database', function () {
             portBindings: { port: 5678 },
             health: null,
             accessRestriction: '',
+            oauthProxy: false,
             lastBackupId: null,
             lastBackupConfig: null,
             oldConfig: null
@@ -497,6 +498,7 @@ describe('database', function () {
             portBindings: { },
             health: null,
             accessRestriction: 'roleAdmin',
+            oauthProxy: true,
             lastBackupId: null,
             lastBackupConfig: null,
             oldConfig: null
@@ -516,7 +518,7 @@ describe('database', function () {
         });
 
         it('add succeeds', function (done) {
-            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, function (error) {
+            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, APP_0.oauthProxy, function (error) {
                 expect(error).to.be(null);
                 done();
             });
@@ -540,7 +542,7 @@ describe('database', function () {
         });
 
         it('add of same app fails', function (done) {
-            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, [ ], APP_0.accessRestriction, function (error) {
+            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, [ ], APP_0.accessRestriction, APP_0.oauthProxy, function (error) {
                 expect(error).to.be.a(DatabaseError);
                 expect(error.reason).to.be(DatabaseError.ALREADY_EXISTS);
                 done();
@@ -569,10 +571,20 @@ describe('database', function () {
             APP_0.installationState = 'some-other-status';
             APP_0.location = 'some-other-location';
             APP_0.manifest.version = '0.2';
-            APP_0.accessRestriction = true;
+            APP_0.accessRestriction = '';
+            APP_0.oauthProxy = true;
             APP_0.httpPort = 1337;
 
-            appdb.update(APP_0.id, { installationState: APP_0.installationState, location: APP_0.location, manifest: APP_0.manifest, accessRestriction: APP_0.accessRestriction, httpPort: APP_0.httpPort }, function (error) {
+            var data = {
+                installationState: APP_0.installationState,
+                location: APP_0.location,
+                manifest: APP_0.manifest,
+                accessRestriction: APP_0.accessRestriction,
+                oauthProxy: APP_0.oauthProxy,
+                httpPort: APP_0.httpPort
+            };
+
+            appdb.update(APP_0.id, data, function (error) {
                 expect(error).to.be(null);
 
                 appdb.get(APP_0.id, function (error, result) {
@@ -602,7 +614,7 @@ describe('database', function () {
         });
 
         it('add second app succeeds', function (done) {
-            appdb.add(APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, [ ], APP_1.accessRestriction, function (error) {
+            appdb.add(APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, [ ], APP_1.accessRestriction, APP_0.oauthProxy, function (error) {
                 expect(error).to.be(null);
                 done();
             });

src/updatechecker.js

@@ -81,6 +81,9 @@ function getAppUpdates(callback) {
 function getBoxUpdates(callback) {
     var currentVersion = config.version();
 
+    // do not crash if boxVersionsUrl is not set
+    if (!config.get('boxVersionsUrl')) return callback(null, null);
+
     superagent
         .get(config.get('boxVersionsUrl'))
         .timeout(10 * 1000)

webadmin/src/index.html

@@ -75,9 +75,7 @@
                     </div>
                     <div ng-show="installedApps | readyToUpdate">
                         <b ng-show="config.update.box.upgrade" class="text-danger">
-                            The update is a base system upgrade.<br/>
-                            This will cause some application downtime!<br/>
-                            <br/>
+                            This update upgrades the base system and will cause some application downtime.<br/>
                         </b>
                         <p>New version: <b>{{config.update.box.version}}</b></p>
                         <p>Recent Changes:</p>

webadmin/src/js/client.js

@@ -215,7 +215,7 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
 
     Client.prototype.installApp = function (id, manifest, title, config, callback) {
         var that = this;
-        var data = { appStoreId: id, manifest: manifest, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction };
+        var data = { appStoreId: id, manifest: manifest, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction, oauthProxy: config.oauthProxy };
         $http.post(client.apiOrigin + '/api/v1/apps/install', data).success(function (data, status) {
             if (status !== 202 || typeof data !== 'object') return defaultErrorHandler(callback);
 
@@ -249,7 +249,7 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
     };
 
     Client.prototype.configureApp = function (id, password, config, callback) {
-        var data = { appId: id, password: password, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction };
+        var data = { appId: id, password: password, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction, oauthProxy: config.oauthProxy };
         $http.post(client.apiOrigin + '/api/v1/apps/' + id + '/configure', data).success(function (data, status) {
             if (status !== 202) return callback(new ClientError(status, data));
             callback(null);
@@ -610,12 +610,15 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
         this._userInfo = {};
 
         var callbackURL = window.location.protocol + '//' + window.location.host + '/login_callback.html';
-        var scope = 'root,profile,apps,roleAdmin';
+        var scope = 'root,profile,apps,roleUser';
 
         // generate a state id to protect agains csrf
         var state = Math.floor((1 + Math.random()) * 0x1000000000000).toString(16).substring(1);
         window.localStorage.oauth2State = state;
 
+        // stash for further use in login_callback
+        window.localStorage.returnTo = '/' + window.location.hash;
+
         window.location.href = this.apiOrigin + '/api/v1/oauth/dialog/authorize?response_type=token&client_id=' + this._clientId + '&redirect_uri=' + callbackURL + '&scope=' + scope + '&state=' + state;
     };
 

webadmin/src/js/index.js

@@ -143,16 +143,6 @@ app.filter('applicationLink', function() {
     };
 });
 
-app.filter('accessRestrictionLabel', function() {
-    return function (input) {
-        if (input === '') return 'public';
-        if (input === 'roleUser') return 'private';
-        if (input === 'roleAdmin') return 'private (Admins only)';
-
-        return input;
-    };
-});
-
 app.filter('prettyHref', function () {
     return function (input) {
         if (!input) return input;

webadmin/src/login_callback.html

@@ -19,7 +19,11 @@
         // clear oauth2 state
         delete window.localStorage.oauth2State;
 
-        window.location.href = '/';
+        var returnTo = window.localStorage.returnTo;
+        delete window.localStorage.returnTo;
+
+        if (returnTo) window.location.href = returnTo;
+        else window.location.href = '/';
     }
 
     </script>

webadmin/src/views/apps.html

@@ -38,10 +38,16 @@
                         </div>
                         <div class="form-group">
                             <label class="control-label" for="accessRestriction">Website Visibility</label>
+                            <div class="checkbox">
+                                <label>
+                                    <input type="checkbox" ng-model="appConfigure.oauthProxy"> Cloudron users only
+                                </label>
+                            </div>
+<!--                             <label class="control-label" for="accessRestriction">Website Visibility</label>
                             <select class="form-control" id="accessRestriction" ng-model="appConfigure.accessRestriction">
                                 <option value="">Visible to all</option>
                                 <option value="roleUser">Visible only to Cloudron users</option>
-                            </select>
+                            </select> -->
                         </div>
                         <a ng-show="!!appConfigure.app.manifest.configurePath" ng-href="https://{{ appConfigure.app.location }}{{ !appConfigure.app.location ? '' : (config.isCustomDomain ? '.' : '-') }}{{ config.fqdn }}/{{ appConfigure.app.manifest.configurePath }}" target="_blank">Application Specific Settings</a>
                         <br/>
@@ -205,8 +211,7 @@
                                 <div class="text-muted" style="text-overflow: ellipsis; white-space: nowrap; overflow: hidden">
                                     {{ app | installationStateLabel }}
                                 </div>
-                                <br ng-hide="app | installationActive"/>
-                                <div ng-show="app | installationActive">
+                                <div ng-style="{ 'visibility': (app | installationActive) ? 'visible' : 'hidden' }">
                                     <div class="progress progress-striped active">
                                         <div class="progress-bar progress-bar-success" role="progressbar" style="width: {{ app.progress }}%"></div>
                                     </div>

webadmin/src/views/apps.js

@@ -19,7 +19,8 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         portBindings: {},
         portBindingsEnabled: {},
         portBindingsInfo: {},
-        accessRestriction: ''
+        accessRestriction: '',
+        oauthProxy: false
     };
 
     $scope.appUninstall = {
@@ -53,6 +54,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         $scope.appConfigure.password = '';
         $scope.appConfigure.portBindings = {};
         $scope.appConfigure.accessRestriction = '';
+        $scope.appConfigure.oauthProxy = false;
 
         $scope.appConfigureForm.$setPristine();
         $scope.appConfigureForm.$setUntouched();
@@ -90,6 +92,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
         $scope.appConfigure.app = app;
         $scope.appConfigure.location = app.location;
         $scope.appConfigure.accessRestriction = app.accessRestriction;
+        $scope.appConfigure.oauthProxy = app.oauthProxy;
         $scope.appConfigure.portBindingsInfo = app.manifest.tcpPorts || {}; // Portbinding map only for information
         $scope.appConfigure.portBindings = {};                              // This is the actual model holding the env:port pair
         $scope.appConfigure.portBindingsEnabled = {};                       // This is the actual model holding the enabled/disabled flag
@@ -122,7 +125,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
             }
         }
 
-        Client.configureApp($scope.appConfigure.app.id, $scope.appConfigure.password, { location: $scope.appConfigure.location || '', portBindings: finalPortBindings, accessRestriction: $scope.appConfigure.accessRestriction }, function (error) {
+        Client.configureApp($scope.appConfigure.app.id, $scope.appConfigure.password, { location: $scope.appConfigure.location || '', portBindings: finalPortBindings, accessRestriction: $scope.appConfigure.accessRestriction, oauthProxy: $scope.appConfigure.oauthProxy }, function (error) {
             if (error) {
                 if (error.statusCode === 409 && (error.message.indexOf('is reserved') !== -1 || error.message.indexOf('is already in use') !== -1)) {
                     $scope.appConfigure.error.port = error.message;

webadmin/src/views/appstore.js

@@ -17,6 +17,7 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
         location: '',
         portBindings: {},
         accessRestriction: '',
+        oauthProxy: false,
         mediaLinks: []
     };
 
@@ -136,6 +137,7 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
         $scope.appInstall.location = '';
         $scope.appInstall.portBindings = {};
         $scope.appInstall.accessRestriction = '';
+        $scope.appInstall.oauthProxy = false;
         $scope.appInstall.installFormVisible = false;
         $scope.appInstall.mediaLinks = [];
         $('#collapseInstallForm').collapse('hide');
@@ -165,6 +167,7 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
         $scope.appInstall.portBindings = {};                            // This is the actual model holding the env:port pair
         $scope.appInstall.portBindingsEnabled = {};                     // This is the actual model holding the enabled/disabled flag
         $scope.appInstall.accessRestriction = app.accessRestriction || '';
+        $scope.appInstall.oauthProxy = app.oauthProxy || false;
 
         // set default ports
         for (var env in $scope.appInstall.app.manifest.tcpPorts) {
@@ -194,7 +197,7 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
             }
         }
 
-        Client.installApp($scope.appInstall.app.id, $scope.appInstall.app.manifest, $scope.appInstall.app.title, { location: $scope.appInstall.location || '', portBindings: finalPortBindings, accessRestriction: $scope.appInstall.accessRestriction }, function (error) {
+        Client.installApp($scope.appInstall.app.id, $scope.appInstall.app.manifest, $scope.appInstall.app.title, { location: $scope.appInstall.location || '', portBindings: finalPortBindings, accessRestriction: $scope.appInstall.accessRestriction, oauthProxy: $scope.appInstall.oauthProxy }, function (error) {
             if (error) {
                 if (error.statusCode === 409 && (error.message.indexOf('is reserved') !== -1 || error.message.indexOf('is already in use') !== -1)) {
                     $scope.appInstall.error.port = error.message;