add comment on how often du value is stored

when the IP changes on addon container re-create, the apps don't
detect this (maybe there is some large DNS cache timeout in docker)

CHANGES

@@ -1747,3 +1747,197 @@
 * Fix various repair workflows
 * acme2: Implement post-as-get
 
+[4.4.1]
+* ami: fix AWS provider validation
+
+[4.4.2]
+* Fix crash when reporting that DKIM is not setup correctly
+* Stopped apps cannot be updated or auto-updated
+* eventlog: track support ticket creation and remote support status
+
+[4.4.3]
+* Add restart button in recovery section
+* Fix issue where memory usage was not computed correctly
+* cloudflare: support API tokens
+
+[4.4.4]
+* Fix bug where restart button in terminal was not working
+* Add search field in apps view
+* Make app view tags and domain filter persistent
+* Add timezone UI
+
+[4.4.5]
+* Fix user listing regression in group edit dialog
+* Do not show error page for 503
+* Add mail list and mail box update events
+* Certs of stopped apps are not renewed anymore
+* Fix broken memory sliders in the services UI
+* Set CPU Shares
+* Update nodejs to 12.14.1
+* Update MySQL addon packet size to 64M
+
+[5.0.0]
+* Show backup disk usage in graphs
+* Add per-user app passwords
+* Make app not responding page customizable
+* Make footer customizable
+* Add UI to import backups
+* Display timestamps in browser timezone in the UI
+* Mail eventlog and usage
+* Add user roles - owner, admin, user manager and user
+* Setup logrotate configs for collectd since upstream does not set it up
+* mail: Add X-Envelope-To and X-Envelope-From headers for incoming mails
+* linode: add object storage backend
+* restore: carefully replace backup config
+* spam: add default corpus and global db
+
+[5.0.1]
+* Show backup disk usage in graphs
+* Add per-user app passwords
+* Make app not responding page customizable
+* Make footer customizable
+* Add UI to import backups
+* Display timestamps in browser timezone in the UI
+* Mail eventlog and usage
+* Add user roles - owner, admin, user manager and user
+* Setup logrotate configs for collectd since upstream does not set it up
+* mail: Add X-Envelope-To and X-Envelope-From headers for incoming mails
+* linode: add object storage backend
+* restore: carefully replace backup config
+* spam: add default corpus and global db
+
+[5.0.2]
+* Show backup disk usage in graphs
+* Add per-user app passwords
+* Make app not responding page customizable
+* Make footer customizable
+* Add UI to import backups
+* Display timestamps in browser timezone in the UI
+* Mail eventlog and usage
+* Add user roles - owner, admin, user manager and user
+* Setup logrotate configs for collectd since upstream does not set it up
+* mail: Add X-Envelope-To and X-Envelope-From headers for incoming mails
+* linode: add object storage backend
+* restore: carefully replace backup config
+* spam: per mailbox bayes db and training
+
+[5.0.3]
+* Show backup disk usage in graphs
+* Add per-user app passwords
+* Make app not responding page customizable
+* Make footer customizable
+* Add UI to import backups
+* Display timestamps in browser timezone in the UI
+* Mail eventlog and usage
+* Add user roles - owner, admin, user manager and user
+* Setup logrotate configs for collectd since upstream does not set it up
+* mail: Add X-Envelope-To and X-Envelope-From headers for incoming mails
+* linode: add object storage backend
+* restore: carefully replace backup config
+* spam: per mailbox bayes db and training
+
+[5.0.4]
+* Fix potential previlige escalation because of ghost file
+* linode: dns backend
+* make branding routes owner only
+* add branding API
+* Add app start/stop/restart events
+* Use the primary email for LE account
+* make mail eventlog more descriptive
+
+[5.0.5]
+* Fix bug where incoming mail from dynamic hostnames was rejected
+* Increase token expiry
+* Fix bug in tag UI where tag removal did not work
+
+[5.0.6]
+* Make mail eventlog only visible to owners
+* Make app password work with sftp
+
+[5.1.0]
+* Add turn addon
+* Fix disk usage display
+* Drop support for TLSv1 and TLSv1.1
+* Make cert validation work for ECC certs
+* Add type filter to mail eventlog
+* mail: Fix listing of mailboxes and aliases in the UI
+* branding: fix login page title
+* Only a Cloudron owner can install/update/exec apps with the docker addon
+* security: reset tokens are only valid for a day
+* mail: fix eventlog db perms
+* Fix various bugs in the disk graphs
+
+[5.1.1]
+* Add turn addon
+* Fix disk usage display
+* Drop support for TLSv1 and TLSv1.1
+* Make cert validation work for ECC certs
+* Add type filter to mail eventlog
+* mail: Fix listing of mailboxes and aliases in the UI
+* branding: fix login page title
+* Only a Cloudron owner can install/update/exec apps with the docker addon
+* security: reset tokens are only valid for a day
+* mail: fix eventlog db perms
+* Fix various bugs in the disk graphs
+* Fix collectd installation
+* graphs: sort disk contents by usage
+* backups: show apps that are not automatically backed up in backup view
+
+[5.1.2]
+* Add turn addon
+* Fix disk usage display
+* Drop support for TLSv1 and TLSv1.1
+* Make cert validation work for ECC certs
+* Add type filter to mail eventlog
+* mail: Fix listing of mailboxes and aliases in the UI
+* branding: fix login page title
+* Only a Cloudron owner can install/update/exec apps with the docker addon
+* security: reset tokens are only valid for a day
+* mail: fix eventlog db perms
+* Fix various bugs in the disk graphs
+* Fix collectd installation
+* graphs: sort disk contents by usage
+* backups: show apps that are not automatically backed up in backup view
+* turn: deny local address peers https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
+
+[5.1.3]
+* Fix crash with misconfigured reverse proxy
+* Fix issue where invitation links are not working anymore
+
+[5.1.4]
+* Add support for custom .well-known documents to be served
+* Add ECDHE-RSA-AES128-SHA256 to cipher list
+* Fix GPG signature verification
+
+[5.1.5]
+* Check for .well-known routes upstream as fallback. This broke nextcloud's caldav/carddav
+
+[5.2.0]
+* acme: request ECC certs
+* less-strict DKIM check to allow users to set a stronger DKIM key
+* Add members only flag to mailing list
+* oauth: add backward compat layer for backup and uninstall
+* fix bug in disk usage sorting
+* mail: aliases can be across domains
+* mail: allow an external MX to be set
+* Add UI to download backup config as JSON (and import it)
+* Ensure stopped apps are getting backed up
+* Add OVH Object Storage backend
+* Add per-app redis status and configuration to Services
+* spam: large emails were not scanned
+* mail relay: fix delivery event log
+* manual update check always gets the latest updates
+* graphs: fix issue where large number of apps would crash the box code (query param limit exceeded)
+* backups: fix various security issues in encypted backups (thanks @mehdi)
+* graphs: add app graphs
+* older encrypted backups cannot be used in this version
+* Add backup listing UI
+* stopping an app will stop dependent services
+* Add new wasabi s3 storage region us-east-2
+* mail: Fix bug where SRS translation was done on the main domain instead of mailing list domain
+
+[5.2.1]
+* Fix app disk graphs
+* restart apps on addon container change
+
+

LICENSE

@@ -1,5 +1,5 @@
 The Cloudron Subscription license
-Copyright (c) 2019 Cloudron UG
+Copyright (c) 2020 Cloudron UG
 
 With regard to the Cloudron Software:
 

README.md

@@ -48,18 +48,8 @@ the dashboard, database addons, graph container, base image etc. Cloudron also r
 on external services such as the App Store for apps to be installed. As such, don't
 clone this repo and npm install and expect something to work.
 
-## Documentation
+## Support
 
 * [Documentation](https://cloudron.io/documentation/)
-
-## Related repos
-
-The [base image repo](https://git.cloudron.io/cloudron/docker-base-image) is the parent image of all
-the containers in the Cloudron.
-
-## Community
-
-* [Chat](https://chat.cloudron.io)
 * [Forum](https://forum.cloudron.io/)
-* [Support](mailto:support@cloudron.io)
 

baseimage/initializeBaseUbuntuImage.sh

@@ -44,7 +44,6 @@ apt-get -y install \
     linux-generic \
     logrotate \
     mysql-server-5.7 \
-    nginx-full \
     openssh-server \
     pwgen \
     resolvconf \
@@ -54,6 +53,17 @@ apt-get -y install \
     unbound \
     xfsprogs
 
+if [[ "${ubuntu_version}" == "16.04" ]]; then
+    echo "==> installing nginx for xenial for TLSv3 support"
+
+    curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.14.0-1~xenial_amd64.deb -o /tmp/nginx.deb
+    # apt install with install deps (as opposed to dpkg -i)
+    apt install -y /tmp/nginx.deb
+    rm /tmp/nginx.deb
+else
+    apt install -y nginx-full
+fi
+
 # on some providers like scaleway the sudo file is changed and we want to keep the old one
 apt-get -o Dpkg::Options::="--force-confold" install -y sudo
 
@@ -62,10 +72,10 @@ apt-get -o Dpkg::Options::="--force-confold" install -y sudo
 cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades
 
 echo "==> Installing node.js"
-mkdir -p /usr/local/node-10.15.1
-curl -sL https://nodejs.org/dist/v10.15.1/node-v10.15.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-10.15.1
-ln -sf /usr/local/node-10.15.1/bin/node /usr/bin/node
-ln -sf /usr/local/node-10.15.1/bin/npm /usr/bin/npm
+mkdir -p /usr/local/node-10.18.1
+curl -sL https://nodejs.org/dist/v10.18.1/node-v10.18.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-10.18.1
+ln -sf /usr/local/node-10.18.1/bin/node /usr/bin/node
+ln -sf /usr/local/node-10.18.1/bin/npm /usr/bin/npm
 apt-get install -y python   # Install python which is required for npm rebuild
 [[ "$(python --version 2>&1)" == "Python 2.7."* ]] || die "Expecting python version to be 2.7.x"
 
@@ -111,7 +121,7 @@ for image in ${images}; do
 done
 
 echo "==> Install collectd"
-if ! apt-get install -y collectd collectd-utils; then
+if ! apt-get install -y libcurl3-gnutls collectd collectd-utils; then
     # FQDNLookup is true in default debian config. The box code has a custom collectd.conf that fixes this
     echo "Failed to install collectd. Presumably because of http://mailman.verplant.org/pipermail/collectd/2015-March/006491.html"
     sed -e 's/^FQDNLookup true/FQDNLookup false/' -i /etc/collectd/collectd.conf
@@ -123,6 +133,13 @@ timedatectl set-ntp 1
 # mysql follows the system timezone
 timedatectl set-timezone UTC
 
+echo "==> Adding sshd configuration warning"
+sed -e '/Port 22/ i # NOTE: Cloudron only supports moving SSH to port 202. See https://cloudron.io/documentation/security/#securing-ssh-access' -i /etc/ssh/sshd_config
+
+# https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068
+echo "==> Disabling motd news"
+sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news
+
 # Disable bind for good measure (on online.net, kimsufi servers these are pre-installed and conflicts with unbound)
 systemctl stop bind9 || true
 systemctl disable bind9 || true

migrations/20200101235723-domains-set-cloudflare-tokenType.js

@@ -0,0 +1,22 @@
+'use strict';
+
+let async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('SELECT * FROM domains', function (error, domains) {
+        if (error) return callback(error);
+
+        async.eachSeries(domains, function (domain, iteratorCallback) {
+            if (domain.provider !== 'cloudflare') return iteratorCallback();
+
+            let config = JSON.parse(domain.configJson);
+            config.tokenType = 'GlobalApiKey';
+
+            db.runSql('UPDATE domains SET configJson = ? WHERE domain = ?', [ JSON.stringify(config), domain.domain ], iteratorCallback);
+        }, callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20200129052822-apps-add-cpuShares.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN cpuShares INTEGER DEFAULT 512', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN cpuShares', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200131232251-appPasswords-create-table.js

@@ -0,0 +1,26 @@
+'use strict';
+
+exports.up = function(db, callback) {
+	var cmd = 'CREATE TABLE appPasswords(' +
+                'id VARCHAR(128) NOT NULL UNIQUE,' +
+				'name VARCHAR(128) NOT NULL,' +
+                'userId VARCHAR(128) NOT NULL,' +
+                'identifier VARCHAR(128) NOT NULL,' +
+                'hashedPassword VARCHAR(1024) NOT NULL,' +
+				'creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,' +
+                'FOREIGN KEY(userId) REFERENCES users(id),' +
+                'UNIQUE (name, userId),' +
+				'PRIMARY KEY (id)) CHARACTER SET utf8 COLLATE utf8_bin';
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('DROP TABLE appPasswords', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200205172146-remove-authcodedb.js

@@ -0,0 +1,22 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('DROP TABLE authcodes', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    var cmd = `CREATE TABLE IF NOT EXISTS authcodes(
+        authCode VARCHAR(128) NOT NULL UNIQUE,
+        userId VARCHAR(128) NOT NULL,
+        clientId VARCHAR(128) NOT NULL,
+        expiresAt BIGINT NOT NULL,
+        PRIMARY KEY(authCode)) CHARACTER SET utf8 COLLATE utf8_bin`;
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200206154808-remove-clients.js

@@ -0,0 +1,24 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('DROP TABLE clients', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    var cmd = `CREATE TABLE IF NOT EXISTS clients(
+      id VARCHAR(128) NOT NULL UNIQUE,
+      appId VARCHAR(128) NOT NULL,
+      type VARCHAR(16) NOT NULL,
+      clientSecret VARCHAR(512) NOT NULL,
+      redirectURI VARCHAR(512) NOT NULL,
+      scope VARCHAR(512) NOT NULL,
+      PRIMARY KEY(id)) CHARACTER SET utf8 COLLATE utf8_bin`;
+
+    db.runSql(cmd, function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200214051201-domains-drop-locked.js

@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE domains DROP COLUMN locked', function (error) {
+        if (error) return callback(error);
+
+        callback();
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE domains ADD COLUMN locked BOOLEAN DEFAULT 0', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+

migrations/20200221211850-users-add-role.js

@@ -0,0 +1,40 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'START TRANSACTION;'),
+        db.runSql.bind(db, 'ALTER TABLE users ADD COLUMN role VARCHAR(32)'),
+        function migrateAdminFlag(done) {
+            db.all('SELECT * FROM users ORDER BY createdAt', function (error, results) {
+                if (error) return done(error);
+                let ownerFound = false;
+
+                async.eachSeries(results, function (user, next) {
+                    let role;
+                    if (!ownerFound && user.admin) {
+                        role = 'owner';
+                        ownerFound = true;
+                        console.log(`Designating ${user.username} ${user.email} ${user.id} as the owner of this cloudron`);
+                    } else {
+                        role = user.admin ? 'admin' : 'user';
+                    }
+                    db.runSql('UPDATE users SET role=? WHERE id=?', [ role, user.id ], next);
+                }, done);
+            });
+        },
+        db.runSql.bind(db, 'ALTER TABLE users DROP COLUMN admin'),
+        db.runSql.bind(db, 'ALTER TABLE users MODIFY role VARCHAR(32) NOT NULL'),
+        db.runSql.bind(db, 'COMMIT')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP COLUMN role', function (error) {
+        if (error) console.error(error);
+
+        callback(error);
+    });
+};
+

migrations/20200330233442-users-add-resetTokenCreationTime.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE users ADD COLUMN resetTokenCreationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP COLUMN resetTokenCreationTime', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200331164304-apps-alter-mailboxDomain.js

@@ -0,0 +1,28 @@
+'use strict';
+
+let async = require('async');
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps MODIFY mailboxDomain VARCHAR(128)', [], function (error) { // make it nullable
+        if (error) console.error(error);
+
+        // clear mailboxName/Domain for apps that do not use mail addons
+        db.all('SELECT * FROM apps', function (error, apps) {
+            if (error) return callback(error);
+
+            async.eachSeries(apps, function (app, iteratorDone) {
+                var manifest = JSON.parse(app.manifestJson);
+                if (manifest.addons['sendmail'] || manifest.addons['recvmail']) return iteratorDone();
+
+                db.runSql('UPDATE apps SET mailboxName=?, mailboxDomain=? WHERE id=?', [ null, null, app.id ], iteratorDone);
+            }, callback);
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps MODIFY manifestJson VARCHAR(128) NOT NULL', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200417235435-mailboxes-add-membersOnly.js

@@ -0,0 +1,17 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE mailboxes ADD COLUMN membersOnly BOOLEAN DEFAULT 0', function (error) {
+        if (error) return callback(error);
+
+        callback();
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE users DROP COLUMN membersOnly', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+

migrations/20200420013715-mailboxes-add-aliasDomain.js

@@ -0,0 +1,28 @@
+'use strict';
+
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE mailboxes ADD COLUMN aliasDomain VARCHAR(128)'),
+        function setAliasDomain(done) {
+            db.all('SELECT * FROM mailboxes', function (error, mailboxes) {
+                async.eachSeries(mailboxes, function (mailbox, iteratorDone) {
+                    if (!mailbox.aliasTarget) return iteratorDone();
+
+                    db.runSql('UPDATE mailboxes SET aliasDomain=? WHERE name=? AND domain=?', [ mailbox.domain, mailbox.name, mailbox.domain ], iteratorDone);
+                }, done);
+            });
+        },
+        db.runSql.bind(db, 'ALTER TABLE mailboxes ADD CONSTRAINT mailboxes_aliasDomain_constraint FOREIGN KEY(aliasDomain) REFERENCES mail(domain)'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes CHANGE aliasTarget aliasName VARCHAR(128)')
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'ALTER TABLE mailboxes DROP FOREIGN KEY mailboxes_aliasDomain_constraint'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes DROP COLUMN aliasDomain'),
+        db.runSql.bind(db, 'ALTER TABLE mailboxes CHANGE aliasName aliasTarget VARCHAR(128)')
+    ], callback);
+};

migrations/20200427044800-apps-add-servicesConfigJson.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN servicesConfigJson TEXT', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN servicesConfigJson', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200430035310-apps-add-bindsJson.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN bindsJson TEXT', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN bindsJson', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200512172301-settings-backup-encryption.js

@@ -0,0 +1,35 @@
+'use strict';
+
+const backups = require('../src/backups.js'),
+    fs = require('fs');
+
+exports.up = function(db, callback) {
+    db.all('SELECT value FROM settings WHERE name="backup_config"', function (error, results) {
+        if (error || results.length === 0) return callback(error);
+
+        var backupConfig = JSON.parse(results[0].value);
+        if (backupConfig.key) {
+            backupConfig.encryption = backups.generateEncryptionKeysSync(backupConfig.key);
+            backups.cleanupCacheFilesSync();
+
+            fs.writeFileSync('/home/yellowtent/platformdata/BACKUP_PASSWORD',
+                'This file contains your Cloudron backup password.\nBefore Cloudron v5.2, this was saved in the database.' +
+                'From Cloudron 5.2, this password is not required anymore. We generate strong keys based off this password and use those keys to encrypt the backups.\n' +
+                'This means that the password is only required at decryption/restore time.\n\n' +
+                'This file can be safely removed and only exists for the off-chance that you do not remember your backup password.\n\n' +
+                `Password: ${backupConfig.key}\n`,
+                'utf8');
+
+        } else {
+            backupConfig.encryption = null;
+        }
+
+        delete backupConfig.key;
+
+        db.runSql('UPDATE settings SET value=? WHERE name="backup_config"', [ JSON.stringify(backupConfig) ], callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/20200514043113-backups-rename-version-to-packageVersion.js

@@ -0,0 +1,15 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE backups CHANGE version packageVersion VARCHAR(128) NOT NULL', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE backups CHANGE packageVersion version VARCHAR(128) NOT NULL', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200514045746-backups-add-encryptionVersion.js

@@ -0,0 +1,24 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE backups ADD COLUMN encryptionVersion INTEGER', function (error) {
+        if (error) return callback(error);
+
+        db.all('SELECT value FROM settings WHERE name="backup_config"', function (error, results) {
+            if (error || results.length === 0) return callback(error);
+
+            var backupConfig = JSON.parse(results[0].value);
+            if (!backupConfig.encryption) return callback(null);
+
+            // mark old encrypted backups as v1
+            db.runSql('UPDATE backups SET encryptionVersion=1', callback);
+        });
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE backups DROP COLUMN encryptionVersion', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};

migrations/20200514231149-backups-retentionSecs-to-retentionPolicy.js

@@ -0,0 +1,18 @@
+'use strict';
+
+exports.up = function(db, callback) {
+    db.all('SELECT value FROM settings WHERE name="backup_config"', function (error, results) {
+        if (error || results.length === 0) return callback(error);
+
+        var backupConfig = JSON.parse(results[0].value);
+        backupConfig.retentionPolicy = { keepWithinSecs: backupConfig.retentionSecs };
+        delete backupConfig.retentionSecs;
+
+        // mark old encrypted backups as v1
+        db.runSql('UPDATE settings SET value=? WHERE name="backup_config"', [ JSON.stringify(backupConfig) ], callback);
+    });
+};
+
+exports.down = function(db, callback) {
+    callback();
+};

migrations/schema.sql

@@ -26,8 +26,11 @@ CREATE TABLE IF NOT EXISTS users(
     fallbackEmail VARCHAR(512) DEFAULT "",
     twoFactorAuthenticationSecret VARCHAR(128) DEFAULT "",
     twoFactorAuthenticationEnabled BOOLEAN DEFAULT false,
-    admin BOOLEAN DEFAULT false,
     source VARCHAR(128) DEFAULT "",
+    role VARCHAR(32),
+    resetToken VARCHAR(128) DEFAULT "",
+    resetTokenCreationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    active BOOLEAN DEFAULT 1,
 
     PRIMARY KEY(id));
 
@@ -52,15 +55,6 @@ CREATE TABLE IF NOT EXISTS tokens(
     expires BIGINT NOT NULL, // FIXME: make this a timestamp
     PRIMARY KEY(accessToken));
 
-CREATE TABLE IF NOT EXISTS clients(
-    id VARCHAR(128) NOT NULL UNIQUE, // prefixed with cid- to identify token easily in auth routes
-    appId VARCHAR(128) NOT NULL,     // name of the client (for external apps) or id of app (for built-in apps)
-    type VARCHAR(16) NOT NULL,
-    clientSecret VARCHAR(512) NOT NULL,
-    redirectURI VARCHAR(512) NOT NULL,
-    scope VARCHAR(512) NOT NULL,
-    PRIMARY KEY(id));
-
 CREATE TABLE IF NOT EXISTS apps(
     id VARCHAR(128) NOT NULL UNIQUE,
     appStoreId VARCHAR(128) NOT NULL, // empty for custom apps
@@ -78,19 +72,21 @@ CREATE TABLE IF NOT EXISTS apps(
     updateTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,   // when the last app update was done
     ts TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, // when this db record was updated (useful for UI caching)
     memoryLimit BIGINT DEFAULT 0,
+    cpuShares INTEGER DEFAULT 512,
     xFrameOptions VARCHAR(512),
     sso BOOLEAN DEFAULT 1, // whether user chose to enable SSO
     debugModeJson TEXT, // options for development mode
     reverseProxyConfigJson TEXT, // { robotsTxt, csp }
     enableBackup BOOLEAN DEFAULT 1, // misnomer: controls automatic daily backups
     enableAutomaticUpdate BOOLEAN DEFAULT 1,
-    mailboxName VARCHAR(128), // mailbox of this app. default allocated as '.app'
-    mailboxDomain VARCHAR(128) NOT NULL, // mailbox domain of this apps
+    mailboxName VARCHAR(128), // mailbox of this app
+    mailboxDomain VARCHAR(128), // mailbox domain of this apps
     label VARCHAR(128),     // display name
     tagsJson VARCHAR(2048), // array of tags
     dataDir VARCHAR(256) UNIQUE,
     taskId INTEGER, // current task
     errorJson TEXT,
+    bindsJson TEXT, // bind mounts
 
     FOREIGN KEY(mailboxDomain) REFERENCES domains(domain),
     FOREIGN KEY(taskId) REFERENCES tasks(id),
@@ -104,13 +100,6 @@ CREATE TABLE IF NOT EXISTS appPortBindings(
     FOREIGN KEY(appId) REFERENCES apps(id),
     PRIMARY KEY(hostPort));
 
-CREATE TABLE IF NOT EXISTS authcodes(
-    authCode VARCHAR(128) NOT NULL UNIQUE,
-    userId VARCHAR(128) NOT NULL,
-    clientId VARCHAR(128) NOT NULL,
-    expiresAt BIGINT NOT NULL, // ## FIXME: make this a timestamp
-    PRIMARY KEY(authCode));
-
 CREATE TABLE IF NOT EXISTS settings(
     name VARCHAR(128) NOT NULL UNIQUE,
     value TEXT,
@@ -132,7 +121,8 @@ CREATE TABLE IF NOT EXISTS appEnvVars(
 CREATE TABLE IF NOT EXISTS backups(
     id VARCHAR(128) NOT NULL,
     creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
-    version VARCHAR(128) NOT NULL, /* app version or box version */
+    packageVersion VARCHAR(128) NOT NULL, /* app version or box version */
+    encryptionVersion INTEGER, /* when null, unencrypted backup */
     type VARCHAR(16) NOT NULL, /* 'box' or 'app' */
     dependsOn TEXT, /* comma separate list of objects this backup depends on */
     state VARCHAR(16) NOT NULL,
@@ -157,7 +147,6 @@ CREATE TABLE IF NOT EXISTS domains(
     provider VARCHAR(16) NOT NULL,
     configJson TEXT, /* JSON containing the dns backend provider config */
     tlsConfigJson TEXT, /* JSON containing the tls provider config */
-    locked BOOLEAN,
 
     PRIMARY KEY (domain))
 
@@ -190,12 +179,15 @@ CREATE TABLE IF NOT EXISTS mailboxes(
     name VARCHAR(128) NOT NULL,
     type VARCHAR(16) NOT NULL, /* 'mailbox', 'alias', 'list' */
     ownerId VARCHAR(128) NOT NULL, /* user id */
-    aliasTarget VARCHAR(128), /* the target name type is an alias */
+    aliasName VARCHAR(128), /* the target name type is an alias */
+    aliasDomain VARCHAR(128), /* the target domain */
     membersJson TEXT, /* members of a group. fully qualified */
+    membersOnly BOOLEAN DEFAULT false,
     creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
     domain VARCHAR(128),
 
     FOREIGN KEY(domain) REFERENCES mail(domain),
+    FOREIGN KEY(aliasDomain) REFERENCES mail(domain),
     UNIQUE (name, domain));
 
 CREATE TABLE IF NOT EXISTS subdomains(
@@ -231,4 +223,16 @@ CREATE TABLE IF NOT EXISTS notifications(
     PRIMARY KEY (id)
 );
 
+CREATE TABLE IF NOT EXISTS appPasswords(
+    id VARCHAR(128) NOT NULL UNIQUE,
+    name VARCHAR(128) NOT NULL,
+    userId VARCHAR(128) NOT NULL,
+    identifier VARCHAR(128) NOT NULL, // resourceId: app id or mail or webadmin
+    hashedPassword VARCHAR(1024) NOT NULL,
+    creationTime TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY(userId) REFERENCES users(id),
+    UNIQUE (name, userId),
+    PRIMARY KEY (id)
+);
+
 CHARACTER SET utf8 COLLATE utf8_bin;

package.json

@@ -17,71 +17,60 @@
     "@google-cloud/dns": "^1.1.0",
     "@google-cloud/storage": "^2.5.0",
     "@sindresorhus/df": "git+https://github.com/cloudron-io/df.git#type",
-    "async": "^2.6.2",
-    "aws-sdk": "^2.476.0",
+    "async": "^2.6.3",
+    "aws-sdk": "^2.610.0",
     "body-parser": "^1.19.0",
-    "cloudron-manifestformat": "^4.0.0",
+    "cloudron-manifestformat": "^5.1.1",
     "connect": "^3.7.0",
-    "connect-ensure-login": "^0.1.1",
-    "connect-lastmile": "^1.2.1",
+    "connect-lastmile": "^1.2.2",
     "connect-timeout": "^1.9.0",
-    "cookie-parser": "^1.4.4",
-    "cookie-session": "^1.3.3",
-    "cron": "^1.7.1",
-    "csurf": "^1.10.0",
+    "cookie-session": "^1.4.0",
+    "cron": "^1.8.2",
     "db-migrate": "^0.11.6",
     "db-migrate-mysql": "^1.1.10",
     "debug": "^4.1.1",
     "dockerode": "^2.5.8",
     "ejs": "^2.6.1",
-    "ejs-cli": "^2.0.1",
+    "ejs-cli": "^2.1.1",
     "express": "^4.17.1",
-    "express-session": "^1.16.2",
     "js-yaml": "^3.13.1",
     "json": "^9.0.6",
     "ldapjs": "^1.0.2",
-    "lodash": "^4.17.11",
+    "lodash": "^4.17.15",
     "lodash.chunk": "^4.2.0",
     "mime": "^2.4.4",
-    "moment-timezone": "^0.5.25",
+    "moment": "^2.25.3",
+    "moment-timezone": "^0.5.27",
     "morgan": "^1.9.1",
     "multiparty": "^4.2.1",
-    "mysql": "^2.17.1",
-    "nodemailer": "^6.2.1",
+    "mysql": "^2.18.1",
+    "nodemailer": "^6.4.2",
     "nodemailer-smtp-transport": "^2.7.4",
-    "oauth2orize": "^1.11.0",
     "once": "^1.4.0",
     "parse-links": "^0.1.0",
-    "passport": "^0.4.0",
-    "passport-http": "^0.3.0",
-    "passport-http-bearer": "^1.0.1",
-    "passport-local": "^1.0.0",
-    "passport-oauth2-client-password": "^0.1.2",
     "pretty-bytes": "^5.3.0",
     "progress-stream": "^2.0.0",
     "proxy-middleware": "^0.15.0",
-    "qrcode": "^1.3.3",
-    "readdirp": "^3.0.2",
+    "qrcode": "^1.4.4",
+    "readdirp": "^3.3.0",
     "request": "^2.88.0",
     "rimraf": "^2.6.3",
     "s3-block-read-stream": "^0.5.0",
-    "safetydance": "^0.7.1",
+    "safetydance": "^1.0.0",
     "semver": "^6.1.1",
-    "session-file-store": "^1.3.1",
-    "showdown": "^1.9.0",
+    "showdown": "^1.9.1",
     "speakeasy": "^2.0.0",
     "split": "^1.0.1",
-    "superagent": "^5.0.9",
+    "superagent": "^5.2.1",
     "supererror": "^0.7.2",
     "tar-fs": "github:cloudron-io/tar-fs#ignore_stat_error",
     "tar-stream": "^2.1.0",
     "tldjs": "^2.3.1",
-    "underscore": "^1.9.1",
-    "uuid": "^3.3.2",
-    "valid-url": "^1.0.9",
+    "underscore": "^1.9.2",
+    "uuid": "^3.4.0",
     "validator": "^11.0.0",
-    "ws": "^7.0.0",
-    "xml2js": "^0.4.19"
+    "ws": "^7.2.1",
+    "xml2js": "^0.4.23"
   },
   "devDependencies": {
     "expect.js": "*",

scripts/cloudron-setup

@@ -92,13 +92,14 @@ fi
 echo "Running cloudron-setup with args : $@" > "${LOG_FILE}"
 
 # validate arguments in the absence of data
-readonly AVAILABLE_PROVIDERS="azure, caas, cloudscale, contabo, digitalocean, ec2, exoscale, galaxygate, gce, hetzner, interox, lightsail, linode, netcup, ovh, rosehosting, scaleway, skysilk, time4vps, upcloud, vultr or generic"
+readonly AVAILABLE_PROVIDERS="azure, caas, cloudscale, contabo, digitalocean, ec2, exoscale, gce, hetzner, interox, lightsail, linode, netcup, ovh, rosehosting, scaleway, skysilk, time4vps, upcloud, vultr or generic"
 if [[ -z "${provider}" ]]; then
     echo "--provider is required ($AVAILABLE_PROVIDERS)"
     exit 1
 elif [[  \
             "${provider}" != "ami" && \
             "${provider}" != "azure" && \
+            "${provider}" != "azure-image" && \
             "${provider}" != "caas" && \
             "${provider}" != "cloudscale" && \
             "${provider}" != "contabo" && \
@@ -106,13 +107,13 @@ elif [[  \
             "${provider}" != "digitalocean-mp" && \
             "${provider}" != "ec2" && \
             "${provider}" != "exoscale" && \
-            "${provider}" != "galaxygate" && \
             "${provider}" != "gce" && \
             "${provider}" != "hetzner" && \
             "${provider}" != "interox" && \
             "${provider}" != "interox-image" && \
             "${provider}" != "lightsail" && \
             "${provider}" != "linode" && \
+            "${provider}" != "linode-oneclick" && \
             "${provider}" != "linode-stackscript" && \
             "${provider}" != "netcup" && \
             "${provider}" != "netcup-image" && \
@@ -202,21 +203,11 @@ if [[ "${initBaseImage}" == "true" ]]; then
     echo ""
 fi
 
-# NOTE: this install script only supports 3.x and above
+# NOTE: this install script only supports 4.2 and above
 echo "=> Installing version ${version} (this takes some time) ..."
 mkdir -p /etc/cloudron
-# this file is used >= 4.2
 echo "${provider}" > /etc/cloudron/PROVIDER
 
-# this file is unused <= 4.2 and exists to make legacy installations work. the start script will remove this file anyway
-cat > "/etc/cloudron/cloudron.conf" <<CONF_END
-{
-    "apiServerOrigin": "${apiServerOrigin}",
-    "webServerOrigin": "${webServerOrigin}",
-    "provider": "${provider}"
-}
-CONF_END
-
 [[ -n "${license}" ]] && echo -n "$license" > /etc/cloudron/LICENSE
 
 if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" &>> "${LOG_FILE}"; then
@@ -224,7 +215,6 @@ if ! /bin/bash "${box_src_tmp_dir}/scripts/installer.sh" &>> "${LOG_FILE}"; then
     exit 1
 fi
 
-# only needed for >= 4.2
 mysql -uroot -ppassword -e "REPLACE INTO box.settings (name, value) VALUES ('api_server_origin', '${apiServerOrigin}');" 2>/dev/null
 mysql -uroot -ppassword -e "REPLACE INTO box.settings (name, value) VALUES ('web_server_origin', '${webServerOrigin}');" 2>/dev/null
 
@@ -237,7 +227,10 @@ while true; do
     sleep 10
 done
 
-echo -e "\n\n${GREEN}Visit https://<IP> and accept the self-signed certificate to finish setup.${DONE}\n"
+if ! ip=$(curl --fail --connect-timeout 2 --max-time 2 -q https://api.cloudron.io/api/v1/helper/public_ip | sed -n -e 's/.*"ip": "\(.*\)"/\1/p'); then
+    ip='<IP>'
+fi
+echo -e "\n\n${GREEN}Visit https://${ip} and accept the self-signed certificate to finish setup.${DONE}\n"
 
 if [[ "${rebootServer}" == "true" ]]; then
     systemctl stop box mysql # sometimes mysql ends up having corrupt privilege tables

scripts/cloudron-support

@@ -13,7 +13,7 @@ HELP_MESSAGE="
 This script collects diagnostic information to help debug server related issues
 
  Options:
-   --admin-login   Login as administrator
+   --owner-login   Login as owner
    --enable-ssh    Enable SSH access for the Cloudron support team
    --help          Show this message
 "
@@ -26,7 +26,7 @@ fi
 
 enableSSH="false"
 
-args=$(getopt -o "" -l "help,enable-ssh,admin-login" -n "$0" -- "$@")
+args=$(getopt -o "" -l "help,enable-ssh,admin-login,owner-login" -n "$0" -- "$@")
 eval set -- "${args}"
 
 while true; do
@@ -34,10 +34,15 @@ while true; do
     --help) echo -e "${HELP_MESSAGE}"; exit 0;;
     --enable-ssh) enableSSH="true"; shift;;
     --admin-login)
-        admin_username=$(mysql -NB -uroot -ppassword -e "SELECT username FROM box.users WHERE admin=1 LIMIT 1" 2>/dev/null)
+        # fall through
+        ;&
+    --owner-login)
+        admin_username=$(mysql -NB -uroot -ppassword -e "SELECT username FROM box.users WHERE role='owner' LIMIT 1" 2>/dev/null)
         admin_password=$(pwgen -1s 12)
-        printf '{"%s":"%s"}\n' "${admin_username}" "${admin_password}" > /tmp/cloudron_ghost.json
-        echo "Login as ${admin_username} / ${admin_password} . Remove /tmp/cloudron_ghost.json when done."
+        ghost_file=/home/yellowtent/platformdata/cloudron_ghost.json
+        printf '{"%s":"%s"}\n' "${admin_username}" "${admin_password}" > "${ghost_file}"
+        chown yellowtent:yellowtent "${ghost_file}" && chmod o-r,g-r "${ghost_file}"
+        echo "Login as ${admin_username} / ${admin_password} . Remove ${ghost_file} when done."
         exit 0
         ;;
     --) break;;
@@ -80,13 +85,13 @@ echo -e $LINE"Filesystem stats"$LINE >> $OUT
 df -h &>> $OUT
 
 echo -e $LINE"Appsdata stats"$LINE >> $OUT
-du -hcsL /home/yellowtent/appsdata/* &>> $OUT
+du -hcsL /home/yellowtent/appsdata/* &>> $OUT || true
 
 echo -e $LINE"Boxdata stats"$LINE >> $OUT
 du -hcsL /home/yellowtent/boxdata/* &>> $OUT
 
 echo -e $LINE"Backup stats (possibly misleading)"$LINE >> $OUT
-du -hcsL /var/backups/* &>> $OUT
+du -hcsL /var/backups/* &>> $OUT || true
 
 echo -e $LINE"System daemon status"$LINE >> $OUT
 systemctl status --lines=100 cloudron.target box mysql unbound cloudron-syslog nginx collectd docker &>> $OUT

scripts/createReleaseTarball

@@ -41,8 +41,8 @@ if ! $(cd "${SOURCE_DIR}/../dashboard" && git diff --exit-code >/dev/null); then
     exit 1
 fi
 
-if [[ "$(node --version)" != "v10.15.1" ]]; then
-    echo "This script requires node 10.15.1"
+if [[ "$(node --version)" != "v10.18.1" ]]; then
+    echo "This script requires node 10.18.1"
     exit 1
 fi
 

scripts/installer.sh

@@ -11,9 +11,8 @@ if [[ ${EUID} -ne 0 ]]; then
     exit 1
 fi
 
-readonly USER=yellowtent
-readonly BOX_SRC_DIR=/home/${USER}/box
-readonly BASE_DATA_DIR=/home/${USER}
+readonly user=yellowtent
+readonly box_src_dir=/home/${user}/box
 
 readonly curl="curl --fail --connect-timeout 20 --retry 10 --retry-delay 2 --max-time 2400"
 readonly script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -24,6 +23,8 @@ readonly ubuntu_codename=$(lsb_release -cs)
 
 readonly is_update=$(systemctl is-active box && echo "yes" || echo "no")
 
+echo "==> installer: Updating from $(cat $box_src_dir/VERSION) to $(cat $box_src_tmp_dir/VERSION) <=="
+
 echo "==> installer: updating docker"
 
 if [[ $(docker version --format {{.Client.Version}}) != "18.09.2" ]]; then
@@ -56,13 +57,22 @@ if [[ $(docker version --format {{.Client.Version}}) != "18.09.2" ]]; then
     rm /tmp/containerd.deb /tmp/docker-ce-cli.deb /tmp/docker.deb
 fi
 
+readonly nginx_version=$(nginx -v)
+if [[ "${nginx_version}" != *"1.14."* && "${ubuntu_version}" == "16.04" ]]; then
+    echo "==> installer: installing nginx for xenial for TLSv3 support"
+    curl -sL http://nginx.org/packages/ubuntu/pool/nginx/n/nginx/nginx_1.14.0-1~xenial_amd64.deb -o /tmp/nginx.deb
+    # apt install with install deps (as opposed to dpkg -i)
+    apt install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" --force-yes /tmp/nginx.deb
+    rm /tmp/nginx.deb
+fi
+
 echo "==> installer: updating node"
-if [[ "$(node --version)" != "v10.15.1" ]]; then
-    mkdir -p /usr/local/node-10.15.1
-    $curl -sL https://nodejs.org/dist/v10.15.1/node-v10.15.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-10.15.1
-    ln -sf /usr/local/node-10.15.1/bin/node /usr/bin/node
-    ln -sf /usr/local/node-10.15.1/bin/npm /usr/bin/npm
-    rm -rf /usr/local/node-8.11.2 /usr/local/node-8.9.3
+if [[ "$(node --version)" != "v10.18.1" ]]; then
+    mkdir -p /usr/local/node-10.18.1
+    $curl -sL https://nodejs.org/dist/v10.18.1/node-v10.18.1-linux-x64.tar.gz | tar zxvf - --strip-components=1 -C /usr/local/node-10.18.1
+    ln -sf /usr/local/node-10.18.1/bin/node /usr/bin/node
+    ln -sf /usr/local/node-10.18.1/bin/npm /usr/bin/npm
+    rm -rf /usr/local/node-10.15.1
 fi
 
 # this is here (and not in updater.js) because rebuild requires the above node
@@ -109,22 +119,22 @@ while [[ ! -f "${CLOUDRON_SYSLOG}" || "$(${CLOUDRON_SYSLOG} --version)" != ${CLO
     sleep 5
 done
 
-if ! id "${USER}" 2>/dev/null; then
-    useradd "${USER}" -m
+if ! id "${user}" 2>/dev/null; then
+    useradd "${user}" -m
 fi
 
 if [[ "${is_update}" == "yes" ]]; then
     echo "==> installer: stop cloudron.target service for update"
-    ${BOX_SRC_DIR}/setup/stop.sh
+    ${box_src_dir}/setup/stop.sh
 fi
 
 # ensure we are not inside the source directory, which we will remove now
 cd /root
 
 echo "==> installer: switching the box code"
-rm -rf "${BOX_SRC_DIR}"
-mv "${box_src_tmp_dir}" "${BOX_SRC_DIR}"
-chown -R "${USER}:${USER}" "${BOX_SRC_DIR}"
+rm -rf "${box_src_dir}"
+mv "${box_src_tmp_dir}" "${box_src_dir}"
+chown -R "${user}:${user}" "${box_src_dir}"
 
 echo "==> installer: calling box setup script"
-"${BOX_SRC_DIR}/setup/start.sh"
+"${box_src_dir}/setup/start.sh"

setup/start.sh

@@ -20,6 +20,11 @@ readonly ubuntu_version=$(lsb_release -rs)
 
 cp -f "${script_dir}/../scripts/cloudron-support" /usr/bin/cloudron-support
 
+# this needs to match the cloudron/base:2.0.0 gid
+if ! getent group media; then
+    addgroup --gid 500 --system media
+fi
+
 echo "==> Configuring docker"
 cp "${script_dir}/start/docker-cloudron-app.apparmor" /etc/apparmor.d/docker-cloudron-app
 systemctl enable apparmor
@@ -47,7 +52,8 @@ mkdir -p "${PLATFORM_DATA_DIR}/backup"
 mkdir -p "${PLATFORM_DATA_DIR}/logs/backup" \
          "${PLATFORM_DATA_DIR}/logs/updater" \
          "${PLATFORM_DATA_DIR}/logs/tasks" \
-         "${PLATFORM_DATA_DIR}/logs/crash"
+         "${PLATFORM_DATA_DIR}/logs/crash" \
+         "${PLATFORM_DATA_DIR}/logs/collectd"
 mkdir -p "${PLATFORM_DATA_DIR}/update"
 
 mkdir -p "${BOX_DATA_DIR}/appicons"
@@ -55,6 +61,7 @@ mkdir -p "${BOX_DATA_DIR}/profileicons"
 mkdir -p "${BOX_DATA_DIR}/certs"
 mkdir -p "${BOX_DATA_DIR}/acme" # acme keys
 mkdir -p "${BOX_DATA_DIR}/mail/dkim"
+mkdir -p "${BOX_DATA_DIR}/well-known" # .well-known documents
 
 # ensure backups folder exists and is writeable
 mkdir -p /var/backups
@@ -114,7 +121,7 @@ rm -f /etc/sudoers.d/${USER}
 cp "${script_dir}/start/sudoers" /etc/sudoers.d/${USER}
 
 echo "==> Configuring collectd"
-rm -rf /etc/collectd
+rm -rf /etc/collectd /var/log/collectd.log
 ln -sfF "${PLATFORM_DATA_DIR}/collectd" /etc/collectd
 cp "${script_dir}/start/collectd/collectd.conf" "${PLATFORM_DATA_DIR}/collectd/collectd.conf"
 systemctl restart collectd
@@ -169,9 +176,11 @@ readonly mysql_root_password="password"
 mysqladmin -u root -ppassword password password # reset default root password
 mysql -u root -p${mysql_root_password} -e 'CREATE DATABASE IF NOT EXISTS box'
 
+# set HOME explicity, because it's not set when the installer calls it. this is done because
+# paths.js uses this env var and some of the migrate code requires box code
 echo "==> Migrating data"
 cd "${BOX_SRC_DIR}"
-if ! BOX_ENV=cloudron DATABASE_URL=mysql://root:${mysql_root_password}@127.0.0.1/box "${BOX_SRC_DIR}/node_modules/.bin/db-migrate" up; then
+if ! HOME=${HOME_DIR} BOX_ENV=cloudron DATABASE_URL=mysql://root:${mysql_root_password}@127.0.0.1/box "${BOX_SRC_DIR}/node_modules/.bin/db-migrate" up; then
     echo "DB migration failed"
     exit 1
 fi
@@ -190,6 +199,9 @@ fi
 echo "==> Cleaning up stale redis directories"
 find "${APPS_DATA_DIR}" -maxdepth 2 -type d -name redis -exec rm -rf {} +
 
+echo "==> Cleaning up old logs"
+rm -f /home/yellowtent/platformdata/logs/*/*.log.* || true
+
 echo "==> Changing ownership"
 # be careful of what is chown'ed here. subdirs like mysql,redis etc are owned by the containers and will stop working if perms change
 chown -R "${USER}" /etc/cloudron

setup/start/cloudron-firewall.sh

@@ -12,6 +12,11 @@ iptables -t filter -I CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
 # ssh is allowed alternately on port 202
 iptables -A CLOUDRON -p tcp -m tcp -m multiport --dports 22,25,80,202,443,587,993,4190 -j ACCEPT
 
+# turn and stun service
+iptables -t filter -A CLOUDRON -p tcp -m multiport --dports 3478,5349 -j ACCEPT
+iptables -t filter -A CLOUDRON -p udp -m multiport --dports 3478,5349 -j ACCEPT
+iptables -t filter -A CLOUDRON -p udp -m multiport --dports 50000:51000 -j ACCEPT
+
 iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-request -j ACCEPT
 iptables -t filter -A CLOUDRON -p icmp --icmp-type echo-reply -j ACCEPT
 iptables -t filter -A CLOUDRON -p udp --sport 53 -j ACCEPT

setup/start/cloudron-motd

@@ -3,10 +3,17 @@
 printf "**********************************************************************\n\n"
 
 if [[ -z "$(ls -A /home/yellowtent/boxdata/mail/dkim)" ]]; then
+    if [[ -f /tmp/.cloudron-motd-cache ]]; then
+        ip=$(cat /tmp/.cloudron-motd-cache)
+    elif ! ip=$(curl --fail --connect-timeout 2 --max-time 2 -q https://api.cloudron.io/api/v1/helper/public_ip | sed -n -e 's/.*"ip": "\(.*\)"/\1/p'); then
+        ip='<IP>'
+    fi
+    echo "${ip}" > /tmp/.cloudron-motd-cache
+
     printf "\t\t\tWELCOME TO CLOUDRON\n"
     printf "\t\t\t-------------------\n"
 
-    printf '\n\e[1;32m%-6s\e[m\n\n' "Visit https://<IP> on your browser and accept the self-signed certificate to finish setup."
+    printf '\n\e[1;32m%-6s\e[m\n\n' "Visit https://${ip} on your browser and accept the self-signed certificate to finish setup."
     printf "Cloudron overview - https://cloudron.io/documentation/ \n"
     printf "Cloudron setup - https://cloudron.io/documentation/installation/#setup \n"
 else

setup/start/collectd/collectd.conf

@@ -57,7 +57,7 @@ LoadPlugin logfile
 
 <Plugin logfile>
    LogLevel "info"
-   File "/var/log/collectd.log"
+   File "/home/yellowtent/platformdata/logs/collectd/collectd.log"
    Timestamp true
    PrintSeverity false
 </Plugin>

setup/start/collectd/du.py

@@ -3,10 +3,12 @@ import collectd,os,subprocess,sys,re,time
 # https://www.programcreek.com/python/example/106897/collectd.register_read
 
 PATHS = [] # { name, dir, exclude }
+# there is a pattern in carbon/storage-schemas.conf which stores values every 12h for a year
 INTERVAL = 60 * 60 * 12 # twice a day. change values in docker-graphite if you change this
 
 def du(pathinfo):
-    cmd = 'timeout 1800 du -Dsb "{}"'.format(pathinfo['dir'])
+    # -B1 makes du print block sizes and not apparent sizes (to match df which also uses block sizes)
+    cmd = 'timeout 1800 du -DsB1 "{}"'.format(pathinfo['dir'])
     if pathinfo['exclude'] != '':
         cmd += ' --exclude "{}"'.format(pathinfo['exclude'])
 
@@ -26,6 +28,7 @@ def parseSize(size):
 
 def dockerSize():
     # use --format '{{json .}}' to dump the string. '{{if eq .Type "Images"}}{{.Size}}{{end}}' still creates newlines
+    # https://godoc.org/github.com/docker/go-units#HumanSize is used. so it's 1000 (KB) and not 1024 (KiB)
     cmd = 'timeout 1800 docker system df --format "{{.Size}}" | head -n1'
     try:
         size = subprocess.check_output(cmd, shell=True).strip().decode('utf-8')

setup/start/custom.yml

@@ -1,40 +0,0 @@
-# add customizations here
-# after making changes run "sudo systemctl restart box"
-
-# appstore:
-#   blacklist:
-#     - io.wekan.cloudronapp
-#     - io.cloudron.openvpn
-#   whitelist:
-#     org.wordpress.cloudronapp: {}
-#     chat.rocket.cloudronapp: {}
-#     com.nextcloud.cloudronapp: {}
-#
-# backups:
-#   configurable: true
-#
-# domains:
-#   dynamicDns: true
-#   changeDashboardDomain: true
-#
-# subscription:
-#   configurable: true
-#
-# support:
-#   email: support@cloudron.io
-#   remoteSupport: true
-#
-#   ticketFormBody: |
-#     Use this form to open support tickets. You can also write directly to [support@cloudron.io](mailto:support@cloudron.io).
-#       * [Knowledge Base & App Docs](https://cloudron.io/documentation/apps/?support_view)
-#       * [Custom App Packaging & API](https://cloudron.io/developer/packaging/?support_view)
-#       * [Forum](https://forum.cloudron.io/)
-#
-#   submitTickets: true
-#
-# alerts:
-#   email: support@cloudron.io
-#   notifyCloudronAdmins: false
-#
-# footer:
-#   body: '&copy; 2019 [Cloudron](https://cloudron.io) [Forum <i class="fa fa-comments"></i>](https://forum.cloudron.io)'

setup/start/logrotate/platform

@@ -9,6 +9,8 @@
 /home/yellowtent/platformdata/logs/sftp/*.log
 /home/yellowtent/platformdata/logs/redis-*/*.log
 /home/yellowtent/platformdata/logs/crash/*.log
+/home/yellowtent/platformdata/logs/collectd/*.log
+/home/yellowtent/platformdata/logs/turn/*.log
 /home/yellowtent/platformdata/logs/updater/*.log {
     # only keep one rotated file, we currently do not send that over the api
     rotate 1
@@ -16,6 +18,7 @@
     missingok
     # we never compress so we can simply tail the files
     nocompress
+    # this truncates the original log file and not the rotated one
     copytruncate
 }
 

setup/start/systemd/box.service

@@ -13,7 +13,7 @@ Type=idle
 WorkingDirectory=/home/yellowtent/box
 Restart=always
 ; Systemd does not append logs when logging to files, we spawn a shell first and exec to replace it after setting up the pipes
-ExecStart=/bin/sh -c 'echo "Logging to /home/yellowtent/platformdata/logs/box.log"; exec /usr/bin/node --max_old_space_size=150 /home/yellowtent/box/box.js >> /home/yellowtent/platformdata/logs/box.log 2>&1'
+ExecStart=/bin/sh -c 'echo "Logging to /home/yellowtent/platformdata/logs/box.log"; exec /usr/bin/node /home/yellowtent/box/box.js >> /home/yellowtent/platformdata/logs/box.log 2>&1'
 Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
 ; kill apptask processes as well
 KillMode=control-group

src/accesscontrol.js

@@ -1,140 +1,29 @@
 'use strict';
 
 exports = module.exports = {
-    SCOPE_APPS_READ: 'apps:read',
-    SCOPE_APPS_MANAGE: 'apps:manage',
-    SCOPE_APPSTORE: 'appstore',
-    SCOPE_CLIENTS: 'clients',
-    SCOPE_CLOUDRON: 'cloudron',
-    SCOPE_DOMAINS_READ: 'domains:read',
-    SCOPE_DOMAINS_MANAGE: 'domains:manage',
-    SCOPE_MAIL: 'mail',
-    SCOPE_PROFILE: 'profile',
-    SCOPE_SETTINGS: 'settings',
-    SCOPE_SUBSCRIPTION: 'subscription',
-    SCOPE_USERS_READ: 'users:read',
-    SCOPE_USERS_MANAGE: 'users:manage',
-    VALID_SCOPES: [ 'apps', 'appstore', 'clients', 'cloudron', 'domains', 'mail', 'profile', 'settings', 'subscription', 'users' ], // keep this sorted
-
-    SCOPE_ANY: '*',
-
-    validateScopeString: validateScopeString,
-    hasScopes: hasScopes,
-    canonicalScopeString: canonicalScopeString,
-    intersectScopes: intersectScopes,
-    validateToken: validateToken,
-    scopesForUser: scopesForUser
+    verifyToken: verifyToken
 };
 
 var assert = require('assert'),
     BoxError = require('./boxerror.js'),
-    debug = require('debug')('box:accesscontrol'),
     tokendb = require('./tokendb.js'),
-    users = require('./users.js'),
-    _ = require('underscore');
+    users = require('./users.js');
 
-// returns scopes that does not have wildcards and is sorted
-function canonicalScopeString(scope) {
-    if (scope === exports.SCOPE_ANY) return exports.VALID_SCOPES.join(',');
-
-    return scope.split(',').sort().join(',');
-}
-
-function intersectScopes(allowedScopes, wantedScopes) {
-    assert(Array.isArray(allowedScopes), 'Expecting sorted array');
-    assert(Array.isArray(wantedScopes), 'Expecting sorted array');
-
-    if (_.isEqual(allowedScopes, wantedScopes)) return allowedScopes; // quick path
-
-    let wantedScopesMap = new Map();
-    let results = [];
-
-    // make a map of scope -> [ subscopes ]
-    for (let w of wantedScopes) {
-        let parts = w.split(':');
-        let subscopes = wantedScopesMap.get(parts[0]) || new Set();
-        subscopes.add(parts[1] || '*');
-        wantedScopesMap.set(parts[0], subscopes);
-    }
-
-    for (let a of allowedScopes) {
-        let parts = a.split(':');
-        let as = parts[1] || '*';
-
-        let subscopes = wantedScopesMap.get(parts[0]);
-        if (!subscopes) continue;
-
-        if (subscopes.has('*') || subscopes.has(as)) {
-            results.push(a);
-        } else if (as === '*') {
-            results = results.concat(Array.from(subscopes).map(function (ss) { return `${a}:${ss}`; }));
-        }
-    }
-
-    return results;
-}
-
-function validateScopeString(scope) {
-    assert.strictEqual(typeof scope, 'string');
-
-    if (scope === '') return new BoxError(BoxError.BAD_FIELD, 'Empty scope not allowed', { field: 'scope' });
-
-    // NOTE: this function intentionally does not allow '*'. This is only allowed in the db to allow
-    // us not write a migration script every time we add a new scope
-    var allValid = scope.split(',').every(function (s) { return exports.VALID_SCOPES.indexOf(s.split(':')[0]) !== -1; });
-    if (!allValid) return new BoxError(BoxError.BAD_FIELD, 'Invalid scope. Available scopes are ' + exports.VALID_SCOPES.join(', '), { field: 'scope' });
-    return null;
-}
-
-// tests if all requiredScopes are attached to the request
-function hasScopes(authorizedScopes, requiredScopes) {
-    assert(Array.isArray(authorizedScopes), 'Expecting array');
-    assert(Array.isArray(requiredScopes), 'Expecting array');
-
-    if (authorizedScopes.indexOf(exports.SCOPE_ANY) !== -1) return null;
-
-    for (var i = 0; i < requiredScopes.length; ++i) {
-        const scopeParts = requiredScopes[i].split(':');
-
-        // this allows apps:write if the token has a higher apps scope
-        if (authorizedScopes.indexOf(requiredScopes[i]) === -1 && authorizedScopes.indexOf(scopeParts[0]) === -1) {
-            debug('scope: missing scope "%s".', requiredScopes[i]);
-            return new BoxError(BoxError.NOT_FOUND, 'Missing required scope "' + requiredScopes[i] + '"');
-        }
-    }
-
-    return null;
-}
-
-function scopesForUser(user, callback) {
-    assert.strictEqual(typeof user, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    if (user.admin) return callback(null, exports.VALID_SCOPES);
-
-    callback(null, [ 'profile', 'apps:read' ]);
-}
-
-function validateToken(accessToken, callback) {
+function verifyToken(accessToken, callback) {
     assert.strictEqual(typeof accessToken, 'string');
     assert.strictEqual(typeof callback, 'function');
 
     tokendb.getByAccessToken(accessToken, function (error, token) {
-        if (error && error.reason === BoxError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
-        if (error) return callback(error); // this triggers 'internal error' in passport
+        if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
+        if (error) return callback(error);
 
         users.get(token.identifier, function (error, user) {
-            if (error && error.reason === BoxError.NOT_FOUND) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
+            if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
             if (error) return callback(error);
 
-            if (!user.active) return callback(null, null /* user */, 'Invalid Token'); // will end up as a 401
+            if (!user.active) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
 
-            scopesForUser(user, function (error, userScopes) {
-                if (error) return callback(error);
-
-                const authorizedScopes = intersectScopes(userScopes, token.scope.split(','));
-                callback(null, user, { authorizedScopes }); // ends up in req.authInfo
-            });
+            callback(null, user);
         });
     });
 }

src/addons.js

@@ -7,6 +7,9 @@ exports = module.exports = {
     getServiceLogs: getServiceLogs,
     restartService: restartService,
 
+    startAppServices,
+    stopAppServices,
+
     startServices: startServices,
     updateServiceConfig: updateServiceConfig,
 
@@ -20,22 +23,18 @@ exports = module.exports = {
     getMountsSync: getMountsSync,
     getContainerNamesSync: getContainerNamesSync,
 
-    // exported for testing
-    _setupOauth: setupOauth,
-    _teardownOauth: teardownOauth,
+    getContainerDetails: getContainerDetails,
 
     SERVICE_STATUS_STARTING: 'starting',  // container up, waiting for healthcheck
     SERVICE_STATUS_ACTIVE: 'active',
     SERVICE_STATUS_STOPPED: 'stopped'
 };
 
-var accesscontrol = require('./accesscontrol.js'),
-    appdb = require('./appdb.js'),
+var appdb = require('./appdb.js'),
     apps = require('./apps.js'),
     assert = require('assert'),
     async = require('async'),
     BoxError = require('./boxerror.js'),
-    clients = require('./clients.js'),
     constants = require('./constants.js'),
     crypto = require('crypto'),
     debug = require('debug')('box:addons'),
@@ -66,7 +65,14 @@ const RMADDONDIR_CMD = path.join(__dirname, 'scripts/rmaddondir.sh');
 
 // setup can be called multiple times for the same app (configure crash restart) and existing data must not be lost
 // teardown is destructive. app data stored with the addon is lost
-var KNOWN_ADDONS = {
+var ADDONS = {
+    turn: {
+        setup: setupTurn,
+        teardown: teardownTurn,
+        backup: NOOP,
+        restore: NOOP,
+        clear: NOOP
+    },
     email: {
         setup: setupEmail,
         teardown: teardownEmail,
@@ -102,13 +108,6 @@ var KNOWN_ADDONS = {
         restore: restoreMySql,
         clear: clearMySql,
     },
-    oauth: {
-        setup: setupOauth,
-        teardown: teardownOauth,
-        backup: NOOP,
-        restore: setupOauth,
-        clear: NOOP,
-    },
     postgresql: {
         setup: setupPostgreSql,
         teardown: teardownPostgreSql,
@@ -150,10 +149,23 @@ var KNOWN_ADDONS = {
         backup: NOOP,
         restore: NOOP,
         clear: NOOP,
+    },
+    oauth: { // kept for backward compatibility. keep teardown for uninstall to work
+        setup: NOOP,
+        teardown: teardownOauth,
+        backup: NOOP,
+        restore: NOOP,
+        clear: NOOP,
     }
 };
 
-const KNOWN_SERVICES = {
+// services are actual containers that are running. addons are the concepts requested by app
+const SERVICES = {
+    turn: {
+        status: statusTurn,
+        restart: restartContainer.bind(null, 'turn'),
+        defaultMemoryLimit: 256 * 1024 * 1024
+    },
     mail: {
         status: containerStatus.bind(null, 'mail', 'CLOUDRON_MAIL_TOKEN'),
         restart: mail.restartMail,
@@ -201,6 +213,16 @@ const KNOWN_SERVICES = {
     }
 };
 
+const APP_SERVICES = {
+    redis: {
+        status: (instance, done) => containerStatus(`redis-${instance}`, 'CLOUDRON_REDIS_TOKEN', done),
+        start: (instance, done) => docker.startContainer(`redis-${instance}`, done),
+        stop: (instance, done) => docker.stopContainer(`redis-${instance}`, done),
+        restart: (instance, done) => restartContainer(`redis-${instance}`, done),
+        defaultMemoryLimit: 150 * 1024 * 1024
+    }
+};
+
 function debugApp(app /*, args */) {
     assert(typeof app === 'object');
 
@@ -237,6 +259,7 @@ function rebuildService(serviceName, callback) {
 
     // this attempts to recreate the service docker container if they don't exist but platform infra version is unchanged
     // passing an infra version of 'none' will not attempt to purge existing data, not sure if this is good or bad
+    if (serviceName === 'turn') return startTurn({ version: 'none' }, callback);
     if (serviceName === 'mongodb') return startMongodb({ version: 'none' }, callback);
     if (serviceName === 'postgresql') return startPostgresql({ version: 'none' }, callback);
     if (serviceName === 'mysql') return startMysql({ version: 'none' }, callback);
@@ -247,25 +270,22 @@ function rebuildService(serviceName, callback) {
     callback();
 }
 
-function restartContainer(serviceName, callback) {
-    assert.strictEqual(typeof serviceName, 'string');
+function restartContainer(name, callback) {
+    assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    docker.stopContainer(serviceName, function (error) {
+    docker.restartContainer(name, function (error) {
+        if (error && error.reason === BoxError.NOT_FOUND) {
+            callback(null); // callback early since rebuilding takes long
+            return rebuildService(name, function (error) { if (error) console.error(`Unable to rebuild service ${name}`, error); });
+        }
         if (error) return callback(error);
 
-        docker.startContainer(serviceName, function (error) {
-            if (error && error.reason === BoxError.NOT_FOUND) {
-                callback(null); // callback early since rebuilding takes long
-                return rebuildService(serviceName, function (error) { if (error) console.error(`Unable to rebuild service ${serviceName}`, error); });
-            }
-
-            callback(error);
-        });
+        callback(error);
     });
 }
 
-function getServiceDetails(containerName, tokenEnvName, callback) {
+function getContainerDetails(containerName, tokenEnvName, callback) {
     assert.strictEqual(typeof containerName, 'string');
     assert.strictEqual(typeof tokenEnvName, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -288,20 +308,20 @@ function getServiceDetails(containerName, tokenEnvName, callback) {
     });
 }
 
-function containerStatus(addonName, addonTokenName, callback) {
-    assert.strictEqual(typeof addonName, 'string');
-    assert.strictEqual(typeof addonTokenName, 'string');
+function containerStatus(containerName, tokenEnvName, callback) {
+    assert.strictEqual(typeof containerName, 'string');
+    assert.strictEqual(typeof tokenEnvName, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    getServiceDetails(addonName, addonTokenName, function (error, addonDetails) {
-        if (error && error.reason === BoxError.NOT_FOUND) return callback(null, { status: exports.SERVICE_STATUS_STOPPED });
+    getContainerDetails(containerName, tokenEnvName, function (error, addonDetails) {
+        if (error && (error.reason === BoxError.NOT_FOUND || error.reason === BoxError.INACTIVE)) return callback(null, { status: exports.SERVICE_STATUS_STOPPED });
         if (error) return callback(error);
 
         request.get(`https://${addonDetails.ip}:3000/healthcheck?access_token=${addonDetails.token}`, { json: true, rejectUnauthorized: false }, function (error, response) {
-            if (error) return callback(null, { status: exports.SERVICE_STATUS_STARTING, error: `Error waiting for ${addonName}: ${error.message}` });
-            if (response.statusCode !== 200 || !response.body.status) return callback(null, { status: exports.SERVICE_STATUS_STARTING, error: `Error waiting for ${addonName}. Status code: ${response.statusCode} message: ${response.body.message}` });
+            if (error) return callback(null, { status: exports.SERVICE_STATUS_STARTING, error: `Error waiting for ${containerName}: ${error.message}` });
+            if (response.statusCode !== 200 || !response.body.status) return callback(null, { status: exports.SERVICE_STATUS_STARTING, error: `Error waiting for ${containerName}. Status code: ${response.statusCode} message: ${response.body.message}` });
 
-            docker.memoryUsage(addonName, function (error, result) {
+            docker.memoryUsage(containerName, function (error, result) {
                 if (error) return callback(error);
 
                 var tmp = {
@@ -319,20 +339,63 @@ function containerStatus(addonName, addonTokenName, callback) {
 function getServices(callback) {
     assert.strictEqual(typeof callback, 'function');
 
-    let services = Object.keys(KNOWN_SERVICES);
+    let services = Object.keys(SERVICES);
 
-    callback(null, services);
+    appdb.getAll(function (error, apps) {
+        if (error) return callback(error);
+
+        for (let app of apps) {
+            if (app.manifest.addons && app.manifest.addons['redis']) services.push(`redis:${app.id}`);
+        }
+
+        callback(null, services);
+    });
 }
 
-function getService(serviceName, callback) {
-    assert.strictEqual(typeof serviceName, 'string');
+function getServicesConfig(id, callback) {
+    assert.strictEqual(typeof id, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (!KNOWN_SERVICES[serviceName]) return callback(new BoxError(BoxError.NOT_FOUND));
+    const [name, instance ] = id.split(':');
+    if (!instance) {
+        settings.getPlatformConfig(function (error, platformConfig) {
+            if (error) return callback(error);
+
+            callback(null, SERVICES[name], platformConfig);
+        });
+
+        return;
+    }
+
+    appdb.get(instance, function (error, app) {
+        if (error) return callback(error);
+
+        callback(null, APP_SERVICES[name], app.servicesConfig);
+    });
+}
+
+function getService(id, callback) {
+    assert.strictEqual(typeof id, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    const [name, instance ] = id.split(':');
+    let containerStatusFunc;
+
+    if (instance) {
+        if (!APP_SERVICES[name]) return callback(new BoxError(BoxError.NOT_FOUND));
+        containerStatusFunc = APP_SERVICES[name].status.bind(null, instance);
+    } else if (SERVICES[name]) {
+        containerStatusFunc = SERVICES[name].status;
+    } else {
+        return callback(new BoxError(BoxError.NOT_FOUND));
+    }
 
     var tmp = {
-        name: serviceName,
+        name: name,
         status: null,
+        memoryUsed: 0,
+        memoryPercent: 0,
+        error: null,
         config: {
             // If a property is not set then we cannot change it through the api, see below
             // memory: 0,
@@ -340,60 +403,76 @@ function getService(serviceName, callback) {
         }
     };
 
-    settings.getPlatformConfig(function (error, platformConfig) {
+    containerStatusFunc(function (error, result) {
         if (error) return callback(error);
 
-        if (platformConfig[serviceName] && platformConfig[serviceName].memory && platformConfig[serviceName].memorySwap) {
-            tmp.config.memory = platformConfig[serviceName].memory;
-            tmp.config.memorySwap = platformConfig[serviceName].memorySwap;
-        } else if (KNOWN_SERVICES[serviceName].defaultMemoryLimit) {
-            tmp.config.memory = KNOWN_SERVICES[serviceName].defaultMemoryLimit;
-            tmp.config.memorySwap = tmp.config.memory * 2;
-        }
+        tmp.status = result.status;
+        tmp.memoryUsed = result.memoryUsed;
+        tmp.memoryPercent = result.memoryPercent;
+        tmp.error = result.error || null;
 
-        KNOWN_SERVICES[serviceName].status(function (error, result) {
+        getServicesConfig(id, function (error, service, servicesConfig) {
             if (error) return callback(error);
 
-            tmp.status = result.status;
-            tmp.memoryUsed = result.memoryUsed;
-            tmp.memoryPercent = result.memoryPercent;
-            tmp.error = result.error || null;
+            const serviceConfig = servicesConfig[name];
+
+            if (serviceConfig && serviceConfig.memory && serviceConfig.memorySwap) {
+                tmp.config.memory = serviceConfig.memory;
+                tmp.config.memorySwap = serviceConfig.memorySwap;
+            } else if (service.defaultMemoryLimit) {
+                tmp.config.memory = service.defaultMemoryLimit;
+                tmp.config.memorySwap = tmp.config.memory * 2;
+            }
 
             callback(null, tmp);
         });
     });
 }
 
-function configureService(serviceName, data, callback) {
-    assert.strictEqual(typeof serviceName, 'string');
+function configureService(id, data, callback) {
+    assert.strictEqual(typeof id, 'string');
     assert.strictEqual(typeof data, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    if (!KNOWN_SERVICES[serviceName]) return callback(new BoxError(BoxError.NOT_FOUND));
+    const [name, instance ] = id.split(':');
 
-    settings.getPlatformConfig(function (error, platformConfig) {
+    if (instance) {
+        if (!APP_SERVICES[name]) return callback(new BoxError(BoxError.NOT_FOUND));
+    } else if (!SERVICES[name]) {
+        return callback(new BoxError(BoxError.NOT_FOUND));
+    }
+
+    getServicesConfig(id, function (error, service, servicesConfig) {
         if (error) return callback(error);
 
-        if (!platformConfig[serviceName]) platformConfig[serviceName] = {};
+        if (!servicesConfig[name]) servicesConfig[name] = {};
 
         // if not specified we clear the entry and use defaults
         if (!data.memory || !data.memorySwap) {
-            delete platformConfig[serviceName];
+            delete servicesConfig[name];
         } else {
-            platformConfig[serviceName].memory = data.memory;
-            platformConfig[serviceName].memorySwap = data.memorySwap;
+            servicesConfig[name].memory = data.memory;
+            servicesConfig[name].memorySwap = data.memorySwap;
         }
 
-        settings.setPlatformConfig(platformConfig, function (error) {
-            if (error) return callback(error);
+        if (instance) {
+            appdb.update(instance, { servicesConfig }, function (error) {
+                if (error) return callback(error);
 
-            callback(null);
-        });
+                updateAppServiceConfig(name, instance, servicesConfig, callback);
+            });
+        } else {
+            settings.setPlatformConfig(servicesConfig, function (error) {
+                if (error) return callback(error);
+
+                callback(null);
+            });
+        }
     });
 }
 
-function getServiceLogs(serviceName, options, callback) {
-    assert.strictEqual(typeof serviceName, 'string');
+function getServiceLogs(id, options, callback) {
+    assert.strictEqual(typeof id, 'string');
     assert(options && typeof options === 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -401,9 +480,15 @@ function getServiceLogs(serviceName, options, callback) {
     assert.strictEqual(typeof options.format, 'string');
     assert.strictEqual(typeof options.follow, 'boolean');
 
-    if (!KNOWN_SERVICES[serviceName]) return callback(new BoxError(BoxError.NOT_FOUND));
+    const [name, instance ] = id.split(':');
 
-    debug(`Getting logs for ${serviceName}`);
+    if (instance) {
+        if (!APP_SERVICES[name]) return callback(new BoxError(BoxError.NOT_FOUND));
+    } else if (!SERVICES[name]) {
+        return callback(new BoxError(BoxError.NOT_FOUND));
+    }
+
+    debug(`Getting logs for ${name}`);
 
     var lines = options.lines,
         format = options.format || 'json',
@@ -412,11 +497,11 @@ function getServiceLogs(serviceName, options, callback) {
     let cmd, args = [];
 
     // docker and unbound use journald
-    if (serviceName === 'docker' || serviceName === 'unbound') {
+    if (name === 'docker' || name === 'unbound') {
         cmd = 'journalctl';
 
         args.push('--lines=' + (lines === -1 ? 'all' : lines));
-        args.push(`--unit=${serviceName}`);
+        args.push(`--unit=${name}`);
         args.push('--no-pager');
         args.push('--output=short-iso');
 
@@ -426,7 +511,8 @@ function getServiceLogs(serviceName, options, callback) {
 
         args.push('--lines=' + (lines === -1 ? '+1' : lines));
         if (follow) args.push('--follow', '--retry', '--quiet'); // same as -F. to make it work if file doesn't exist, --quiet to not output file headers, which are no logs
-        args.push(path.join(paths.LOG_DIR, serviceName, 'app.log'));
+        const containerName = APP_SERVICES[name] ? `${name}-${instance}` : name;
+        args.push(path.join(paths.LOG_DIR, containerName, 'app.log'));
     }
 
     var cp = spawn(cmd, args);
@@ -445,7 +531,7 @@ function getServiceLogs(serviceName, options, callback) {
         return JSON.stringify({
             realtimeTimestamp: timestamp * 1000,
             message: message,
-            source: serviceName
+            source: name
         }) + '\n';
     });
 
@@ -456,23 +542,67 @@ function getServiceLogs(serviceName, options, callback) {
     callback(null, transformStream);
 }
 
-function restartService(serviceName, callback) {
-    assert.strictEqual(typeof serviceName, 'string');
+function restartService(id, callback) {
+    assert.strictEqual(typeof id, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (!KNOWN_SERVICES[serviceName]) return callback(new BoxError(BoxError.NOT_FOUND));
+    const [name, instance ] = id.split(':');
 
-    KNOWN_SERVICES[serviceName].restart(callback);
+    if (instance) {
+        if (!APP_SERVICES[name]) return callback(new BoxError(BoxError.NOT_FOUND));
+
+        APP_SERVICES[name].restart(instance, callback);
+    } else if (SERVICES[name]) {
+        SERVICES[name].restart(callback);
+    } else {
+        return callback(new BoxError(BoxError.NOT_FOUND));
+    }
 }
 
-function waitForService(containerName, tokenEnvName, callback) {
+// in the future, we can refcount and lazy start global services
+function startAppServices(app, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const instance = app.id;
+    async.eachSeries(Object.keys(app.manifest.addons || {}), function (addon, iteratorDone) {
+        if (!(addon in APP_SERVICES)) return iteratorDone();
+
+        APP_SERVICES[addon].start(instance, function (error) { // assume addons name is service name
+            // error ignored because we don't want "start app" to error. use can fix it from Services
+            if (error) debug(`startAppServices: ${addon}:${instance}`, error);
+
+            iteratorDone();
+        });
+    }, callback);
+}
+
+// in the future, we can refcount and stop global services as well
+function stopAppServices(app, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const instance = app.id;
+    async.eachSeries(Object.keys(app.manifest.addons || {}), function (addon, iteratorDone) {
+        if (!(addon in APP_SERVICES)) return iteratorDone();
+
+        APP_SERVICES[addon].stop(instance, function (error) { // assume addons name is service name
+            // error ignored because we don't want "start app" to error. use can fix it from Services
+            if (error) debug(`stopAppServices: ${addon}:${instance}`, error);
+
+            iteratorDone();
+        });
+    }, callback);
+}
+
+function waitForContainer(containerName, tokenEnvName, callback) {
     assert.strictEqual(typeof containerName, 'string');
     assert.strictEqual(typeof tokenEnvName, 'string');
     assert.strictEqual(typeof callback, 'function');
 
     debug(`Waiting for ${containerName}`);
 
-    getServiceDetails(containerName, tokenEnvName, function (error, result) {
+    getContainerDetails(containerName, tokenEnvName, function (error, result) {
         if (error) return callback(error);
 
         async.retry({ times: 10, interval: 15000 }, function (retryCallback) {
@@ -496,11 +626,11 @@ function setupAddons(app, addons, callback) {
     debugApp(app, 'setupAddons: Setting up %j', Object.keys(addons));
 
     async.eachSeries(Object.keys(addons), function iterator(addon, iteratorCallback) {
-        if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
+        if (!(addon in ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
 
         debugApp(app, 'Setting up addon %s with options %j', addon, addons[addon]);
 
-        KNOWN_ADDONS[addon].setup(app, addons[addon], iteratorCallback);
+        ADDONS[addon].setup(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -514,11 +644,11 @@ function teardownAddons(app, addons, callback) {
     debugApp(app, 'teardownAddons: Tearing down %j', Object.keys(addons));
 
     async.eachSeries(Object.keys(addons), function iterator(addon, iteratorCallback) {
-        if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
+        if (!(addon in ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
 
         debugApp(app, 'Tearing down addon %s with options %j', addon, addons[addon]);
 
-        KNOWN_ADDONS[addon].teardown(app, addons[addon], iteratorCallback);
+        ADDONS[addon].teardown(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -534,9 +664,9 @@ function backupAddons(app, addons, callback) {
     debugApp(app, 'backupAddons: Backing up %j', Object.keys(addons));
 
     async.eachSeries(Object.keys(addons), function iterator (addon, iteratorCallback) {
-        if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
+        if (!(addon in ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
 
-        KNOWN_ADDONS[addon].backup(app, addons[addon], iteratorCallback);
+        ADDONS[addon].backup(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -552,9 +682,9 @@ function clearAddons(app, addons, callback) {
     debugApp(app, 'clearAddons: clearing %j', Object.keys(addons));
 
     async.eachSeries(Object.keys(addons), function iterator (addon, iteratorCallback) {
-        if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
+        if (!(addon in ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
 
-        KNOWN_ADDONS[addon].clear(app, addons[addon], iteratorCallback);
+        ADDONS[addon].clear(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -570,9 +700,9 @@ function restoreAddons(app, addons, callback) {
     debugApp(app, 'restoreAddons: restoring %j', Object.keys(addons));
 
     async.eachSeries(Object.keys(addons), function iterator (addon, iteratorCallback) {
-        if (!(addon in KNOWN_ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
+        if (!(addon in ADDONS)) return iteratorCallback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
 
-        KNOWN_ADDONS[addon].restore(app, addons[addon], iteratorCallback);
+        ADDONS[addon].restore(app, addons[addon], iteratorCallback);
     }, callback);
 }
 
@@ -581,12 +711,12 @@ function importAppDatabase(app, addon, callback) {
     assert.strictEqual(typeof addon, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (!(addon in KNOWN_ADDONS)) return callback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
+    if (!(addon in ADDONS)) return callback(new BoxError(BoxError.NOT_FOUND, `No such addon: ${addon}`));
 
     async.series([
-        KNOWN_ADDONS[addon].setup.bind(null, app, app.manifest.addons[addon]),
-        KNOWN_ADDONS[addon].clear.bind(null, app, app.manifest.addons[addon]), // clear in case we crashed in a restore
-        KNOWN_ADDONS[addon].restore.bind(null, app, app.manifest.addons[addon])
+        ADDONS[addon].setup.bind(null, app, app.manifest.addons[addon]),
+        ADDONS[addon].clear.bind(null, app, app.manifest.addons[addon]), // clear in case we crashed in a restore
+        ADDONS[addon].restore.bind(null, app, app.manifest.addons[addon])
     ], callback);
 }
 
@@ -621,7 +751,6 @@ function updateServiceConfig(platformConfig, callback) {
 
     debug('updateServiceConfig: %j', platformConfig);
 
-    // TODO: this should possibly also rollback memory to default
     async.eachSeries([ 'mysql', 'postgresql', 'mail', 'mongodb', 'graphite' ], function iterator(serviceName, iteratorCallback) {
         const containerConfig = platformConfig[serviceName];
         let memory, memorySwap;
@@ -629,7 +758,7 @@ function updateServiceConfig(platformConfig, callback) {
             memory = containerConfig.memory;
             memorySwap = containerConfig.memorySwap;
         } else {
-            memory = KNOWN_SERVICES[serviceName].defaultMemoryLimit;
+            memory = SERVICES[serviceName].defaultMemoryLimit;
             memorySwap = memory * 2;
         }
 
@@ -638,6 +767,28 @@ function updateServiceConfig(platformConfig, callback) {
     }, callback);
 }
 
+function updateAppServiceConfig(name, instance, servicesConfig, callback) {
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof instance, 'string');
+    assert.strictEqual(typeof servicesConfig, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`updateAppServiceConfig: ${name}-${instance} ${JSON.stringify(servicesConfig)}`);
+
+    const serviceConfig = servicesConfig[name];
+    let memory, memorySwap;
+    if (serviceConfig && serviceConfig.memory && serviceConfig.memorySwap) {
+        memory = serviceConfig.memory;
+        memorySwap = serviceConfig.memorySwap;
+    } else {
+        memory = APP_SERVICES[name].defaultMemoryLimit;
+        memorySwap = memory * 2;
+    }
+
+    const args = `update --memory ${memory} --memory-swap ${memorySwap} ${name}-${instance}`.split(' ');
+    shell.spawn(`updateAppServiceConfig${name}`, '/usr/bin/docker', args, { }, callback);
+}
+
 function startServices(existingInfra, callback) {
     assert.strictEqual(typeof existingInfra, 'object');
     assert.strictEqual(typeof callback, 'function');
@@ -648,6 +799,7 @@ function startServices(existingInfra, callback) {
     if (existingInfra.version !== infra.version) {
         debug(`startServices: ${existingInfra.version} -> ${infra.version}. starting all services`);
         startFuncs.push(
+            startTurn.bind(null, existingInfra),
             startMysql.bind(null, existingInfra),
             startPostgresql.bind(null, existingInfra),
             startMongodb.bind(null, existingInfra),
@@ -656,6 +808,7 @@ function startServices(existingInfra, callback) {
     } else {
         assert.strictEqual(typeof existingInfra.images, 'object');
 
+        if (!existingInfra.images.turn || infra.images.turn.tag !== existingInfra.images.turn.tag) startFuncs.push(startTurn.bind(null, existingInfra));
         if (infra.images.mysql.tag !== existingInfra.images.mysql.tag) startFuncs.push(startMysql.bind(null, existingInfra));
         if (infra.images.postgresql.tag !== existingInfra.images.postgresql.tag) startFuncs.push(startPostgresql.bind(null, existingInfra));
         if (infra.images.mongodb.tag !== existingInfra.images.mongodb.tag) startFuncs.push(startMongodb.bind(null, existingInfra));
@@ -675,7 +828,7 @@ function getEnvironment(app, callback) {
     appdb.getAddonConfigByAppId(app.id, function (error, result) {
         if (error) return callback(error);
 
-        if (app.manifest.addons['docker']) result.push({ name: 'DOCKER_HOST', value: `tcp://172.18.0.1:${constants.DOCKER_PROXY_PORT}` });
+        if (app.manifest.addons['docker']) result.push({ name: 'CLOUDRON_DOCKER_HOST', value: `tcp://172.18.0.1:${constants.DOCKER_PROXY_PORT}` });
 
         return callback(null, result.map(function (e) { return e.name + '=' + e.value; }));
     });
@@ -738,8 +891,8 @@ function setupLocalStorage(app, options, callback) {
 
     // reomve any existing volume in case it's bound with an old dataDir
     async.series([
-        docker.removeVolume.bind(null, app, `${app.id}-localstorage`),
-        docker.createVolume.bind(null, app, `${app.id}-localstorage`, volumeDataDir)
+        docker.removeVolume.bind(null, `${app.id}-localstorage`),
+        docker.createVolume.bind(null, `${app.id}-localstorage`, volumeDataDir, { fqdn: app.fqdn, appId: app.id })
     ], callback);
 }
 
@@ -750,7 +903,7 @@ function clearLocalStorage(app, options, callback) {
 
     debugApp(app, 'clearLocalStorage');
 
-    docker.clearVolume(app, `${app.id}-localstorage`, { removeDirectory: false }, callback);
+    docker.clearVolume(`${app.id}-localstorage`, { removeDirectory: false }, callback);
 }
 
 function teardownLocalStorage(app, options, callback) {
@@ -761,57 +914,42 @@ function teardownLocalStorage(app, options, callback) {
     debugApp(app, 'teardownLocalStorage');
 
     async.series([
-        docker.clearVolume.bind(null, app, `${app.id}-localstorage`, { removeDirectory: true }),
-        docker.removeVolume.bind(null, app, `${app.id}-localstorage`)
+        docker.clearVolume.bind(null, `${app.id}-localstorage`, { removeDirectory: true }),
+        docker.removeVolume.bind(null, `${app.id}-localstorage`)
     ], callback);
 }
 
-function setupOauth(app, options, callback) {
+function setupTurn(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    debugApp(app, 'setupOauth');
+    var turnSecret = safe.fs.readFileSync(paths.ADDON_TURN_SECRET_FILE, 'utf8');
+    if (!turnSecret) console.error('No turn secret set. Will leave emtpy, but this is a problem!');
 
-    if (!app.sso) return callback(null);
+    const env = [
+        { name: 'CLOUDRON_STUN_SERVER', value: settings.adminFqdn() },
+        { name: 'CLOUDRON_STUN_PORT', value: '3478' },
+        { name: 'CLOUDRON_STUN_TLS_PORT', value: '5349' },
+        { name: 'CLOUDRON_TURN_SERVER', value: settings.adminFqdn() },
+        { name: 'CLOUDRON_TURN_PORT', value: '3478' },
+        { name: 'CLOUDRON_TURN_TLS_PORT', value: '5349' },
+        { name: 'CLOUDRON_TURN_SECRET', value: turnSecret }
+    ];
 
-    var appId = app.id;
-    var redirectURI = 'https://' + app.fqdn;
-    var scope = accesscontrol.SCOPE_PROFILE;
+    debugApp(app, 'Setting up TURN');
 
-    clients.delByAppIdAndType(appId, clients.TYPE_OAUTH, function (error) { // remove existing creds
-        if (error && error.reason !== BoxError.NOT_FOUND) return callback(error);
-
-        clients.add(appId, clients.TYPE_OAUTH, redirectURI, scope, function (error, result) {
-            if (error) return callback(error);
-
-            const envPrefix = app.manifest.manifestVersion <= 1 ? '' : 'CLOUDRON_';
-
-            var env = [
-                { name: `${envPrefix}OAUTH_CLIENT_ID`, value: result.id },
-                { name: `${envPrefix}OAUTH_CLIENT_SECRET`, value: result.clientSecret },
-                { name: `${envPrefix}OAUTH_ORIGIN`, value: settings.adminOrigin() }
-            ];
-
-            debugApp(app, 'Setting oauth addon config to %j', env);
-
-            appdb.setAddonConfig(appId, 'oauth', env, callback);
-        });
-    });
+    appdb.setAddonConfig(app.id, 'turn', env, callback);
 }
 
-function teardownOauth(app, options, callback) {
+function teardownTurn(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    debugApp(app, 'teardownOauth');
+    debugApp(app, 'Tearing down TURN');
 
-    clients.delByAppIdAndType(app.id, clients.TYPE_OAUTH, function (error) {
-        if (error && error.reason !== BoxError.NOT_FOUND) debug(error);
-
-        appdb.unsetAddonConfig(app.id, 'oauth', callback);
-    });
+    appdb.unsetAddonConfig(app.id, 'turn', callback);
 }
 
 function setupEmail(app, options, callback) {
@@ -1013,7 +1151,7 @@ function startMysql(existingInfra, callback) {
         shell.exec('startMysql', cmd, function (error) {
             if (error) return callback(error);
 
-            waitForService('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error) {
+            waitForContainer('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error) {
                 if (error) return callback(error);
                 if (!upgrading) return callback(null);
 
@@ -1042,7 +1180,7 @@ function setupMySql(app, options, callback) {
             password: error ? hat(4 * 48) : existingPassword // see box#362 for password length
         };
 
-        getServiceDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
+        getContainerDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
             if (error) return callback(error);
 
             request.post(`https://${result.ip}:3000/` + (options.multipleDatabases ? 'prefixes' : 'databases') + `?access_token=${result.token}`, { rejectUnauthorized: false, json: data }, function (error, response) {
@@ -1081,7 +1219,7 @@ function clearMySql(app, options, callback) {
 
     const database = mysqlDatabaseName(app.id);
 
-    getServiceDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
+    getContainerDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         request.post(`https://${result.ip}:3000/` + (options.multipleDatabases ? 'prefixes' : 'databases') + `/${database}/clear?access_token=${result.token}`, { json: true, rejectUnauthorized: false }, function (error, response) {
@@ -1101,7 +1239,7 @@ function teardownMySql(app, options, callback) {
     const database = mysqlDatabaseName(app.id);
     const username = database;
 
-    getServiceDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
+    getContainerDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         request.delete(`https://${result.ip}:3000/` + (options.multipleDatabases ? 'prefixes' : 'databases') + `/${database}?access_token=${result.token}&username=${username}`, { json: true, rejectUnauthorized: false }, function (error, response) {
@@ -1149,7 +1287,7 @@ function backupMySql(app, options, callback) {
 
     debugApp(app, 'Backing up mysql');
 
-    getServiceDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
+    getContainerDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         const url = `https://${result.ip}:3000/` + (options.multipleDatabases ? 'prefixes' : 'databases') + `/${database}/backup?access_token=${result.token}`;
@@ -1168,7 +1306,7 @@ function restoreMySql(app, options, callback) {
 
     callback = once(callback); // protect from multiple returns with streams
 
-    getServiceDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
+    getContainerDetails('mysql', 'CLOUDRON_MYSQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         var input = fs.createReadStream(dumpPath('mysql', app.id));
@@ -1229,7 +1367,7 @@ function startPostgresql(existingInfra, callback) {
         shell.exec('startPostgresql', cmd, function (error) {
             if (error) return callback(error);
 
-            waitForService('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error) {
+            waitForContainer('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error) {
                 if (error) return callback(error);
                 if (!upgrading) return callback(null);
 
@@ -1257,7 +1395,7 @@ function setupPostgreSql(app, options, callback) {
             password: error ? hat(4 * 128) : existingPassword
         };
 
-        getServiceDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
+        getContainerDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
             if (error) return callback(error);
 
             request.post(`https://${result.ip}:3000/databases?access_token=${result.token}`, { rejectUnauthorized: false, json: data }, function (error, response) {
@@ -1291,7 +1429,7 @@ function clearPostgreSql(app, options, callback) {
 
     debugApp(app, 'Clearing postgresql');
 
-    getServiceDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
+    getContainerDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         request.post(`https://${result.ip}:3000/databases/${database}/clear?access_token=${result.token}&username=${username}`, { json: true, rejectUnauthorized: false }, function (error, response) {
@@ -1310,7 +1448,7 @@ function teardownPostgreSql(app, options, callback) {
 
     const { database, username } = postgreSqlNames(app.id);
 
-    getServiceDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
+    getContainerDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         request.delete(`https://${result.ip}:3000/databases/${database}?access_token=${result.token}&username=${username}`, { json: true, rejectUnauthorized: false }, function (error, response) {
@@ -1331,7 +1469,7 @@ function backupPostgreSql(app, options, callback) {
 
     const { database } = postgreSqlNames(app.id);
 
-    getServiceDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
+    getContainerDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         const url = `https://${result.ip}:3000/databases/${database}/backup?access_token=${result.token}`;
@@ -1350,7 +1488,7 @@ function restorePostgreSql(app, options, callback) {
 
     callback = once(callback); // protect from multiple returns with streams
 
-    getServiceDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
+    getContainerDetails('postgresql', 'CLOUDRON_POSTGRESQL_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         var input = fs.createReadStream(dumpPath('postgresql', app.id));
@@ -1367,6 +1505,43 @@ function restorePostgreSql(app, options, callback) {
     });
 }
 
+function startTurn(existingInfra, callback) {
+    assert.strictEqual(typeof existingInfra, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    // get and ensure we have a turn secret
+    var turnSecret = safe.fs.readFileSync(paths.ADDON_TURN_SECRET_FILE, 'utf8');
+    if (!turnSecret) {
+        turnSecret = 'a' + crypto.randomBytes(15).toString('hex'); // prefix with a to ensure string starts with a letter
+        safe.fs.writeFileSync(paths.ADDON_TURN_SECRET_FILE, turnSecret, 'utf8');
+    }
+
+    const tag = infra.images.turn.tag;
+    const memoryLimit = 256;
+    const realm = settings.adminFqdn();
+
+    if (existingInfra.version === infra.version && existingInfra.images.turn && infra.images.turn.tag === existingInfra.images.turn.tag) return callback();
+
+    // this exports 3478/tcp, 5349/tls and 50000-51000/udp
+    const cmd = `docker run --restart=always -d --name="turn" \
+                --hostname turn \
+                --net host \
+                --log-driver syslog \
+                --log-opt syslog-address=udp://127.0.0.1:2514 \
+                --log-opt syslog-format=rfc5424 \
+                --log-opt tag=turn \
+                -m ${memoryLimit}m \
+                --memory-swap ${memoryLimit * 2}m \
+                --dns 172.18.0.1 \
+                --dns-search=. \
+                -e CLOUDRON_TURN_SECRET="${turnSecret}" \
+                -e CLOUDRON_REALM="${realm}" \
+                --label isCloudronManaged=true \
+                --read-only -v /tmp -v /run "${tag}"`;
+
+    shell.exec('startTurn', cmd, callback);
+}
+
 function startMongodb(existingInfra, callback) {
     assert.strictEqual(typeof existingInfra, 'object');
     assert.strictEqual(typeof callback, 'function');
@@ -1406,7 +1581,7 @@ function startMongodb(existingInfra, callback) {
         shell.exec('startMongodb', cmd, function (error) {
             if (error) return callback(error);
 
-            waitForService('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error) {
+            waitForContainer('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error) {
                 if (error) return callback(error);
                 if (!upgrading) return callback(null);
 
@@ -1433,7 +1608,7 @@ function setupMongoDb(app, options, callback) {
             oplog: !!options.oplog
         };
 
-        getServiceDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
+        getContainerDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
             if (error) return callback(error);
 
             request.post(`https://${result.ip}:3000/databases?access_token=${result.token}`, { rejectUnauthorized: false, json: data }, function (error, response) {
@@ -1469,7 +1644,7 @@ function clearMongodb(app, options, callback) {
 
     debugApp(app, 'Clearing mongodb');
 
-    getServiceDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
+    getContainerDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         request.post(`https://${result.ip}:3000/databases/${app.id}/clear?access_token=${result.token}`, { json: true, rejectUnauthorized: false }, function (error, response) {
@@ -1488,7 +1663,7 @@ function teardownMongoDb(app, options, callback) {
 
     debugApp(app, 'Tearing down mongodb');
 
-    getServiceDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
+    getContainerDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         request.delete(`https://${result.ip}:3000/databases/${app.id}?access_token=${result.token}`, { json: true, rejectUnauthorized: false }, function (error, response) {
@@ -1507,7 +1682,7 @@ function backupMongoDb(app, options, callback) {
 
     debugApp(app, 'Backing up mongodb');
 
-    getServiceDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
+    getContainerDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         const url = `https://${result.ip}:3000/databases/${app.id}/backup?access_token=${result.token}`;
@@ -1524,7 +1699,7 @@ function restoreMongoDb(app, options, callback) {
 
     debugApp(app, 'restoreMongoDb');
 
-    getServiceDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
+    getContainerDetails('mongodb', 'CLOUDRON_MONGODB_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         const readStream = fs.createReadStream(dumpPath('mongodb', app.id));
@@ -1580,15 +1755,7 @@ function setupRedis(app, options, callback) {
         const redisServiceToken = hat(4 * 48);
 
         // Compute redis memory limit based on app's memory limit (this is arbitrary)
-        var memoryLimit = app.memoryLimit || app.manifest.memoryLimit || 0;
-
-        if (memoryLimit === -1) { // unrestricted (debug mode)
-            memoryLimit = 0;
-        } else if (memoryLimit === 0 || memoryLimit <= (2 * 1024 * 1024 * 1024)) { // less than 2G (ram+swap)
-            memoryLimit = 150 * 1024 * 1024; // 150m
-        } else {
-            memoryLimit = 600 * 1024 * 1024; // 600m
-        }
+        const memoryLimit = app.servicesConfig['redis'] ? app.servicesConfig['redis'].memoryLimit : APP_SERVICES['redis'].defaultMemoryLimit;
 
         const tag = infra.images.redis.tag;
         const label = app.fqdn;
@@ -1632,7 +1799,7 @@ function setupRedis(app, options, callback) {
                 });
             },
             appdb.setAddonConfig.bind(null, app.id, 'redis', env),
-            waitForService.bind(null, 'redis-' + app.id, 'CLOUDRON_REDIS_TOKEN')
+            waitForContainer.bind(null, 'redis-' + app.id, 'CLOUDRON_REDIS_TOKEN')
         ], function (error) {
             if (error) debug('Error setting up redis: ', error);
             callback(error);
@@ -1647,7 +1814,7 @@ function clearRedis(app, options, callback) {
 
     debugApp(app, 'Clearing redis');
 
-    getServiceDetails('redis-' + app.id, 'CLOUDRON_REDIS_TOKEN', function (error, result) {
+    getContainerDetails('redis-' + app.id, 'CLOUDRON_REDIS_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         request.post(`https://${result.ip}:3000/clear?access_token=${result.token}`, { json: true, rejectUnauthorized: false }, function (error, response) {
@@ -1686,7 +1853,7 @@ function backupRedis(app, options, callback) {
 
     debugApp(app, 'Backing up redis');
 
-    getServiceDetails('redis-' + app.id, 'CLOUDRON_REDIS_TOKEN', function (error, result) {
+    getContainerDetails('redis-' + app.id, 'CLOUDRON_REDIS_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         const url = `https://${result.ip}:3000/backup?access_token=${result.token}`;
@@ -1703,7 +1870,7 @@ function restoreRedis(app, options, callback) {
 
     callback = once(callback); // protect from multiple returns with streams
 
-    getServiceDetails('redis-' + app.id, 'CLOUDRON_REDIS_TOKEN', function (error, result) {
+    getContainerDetails('redis-' + app.id, 'CLOUDRON_REDIS_TOKEN', function (error, result) {
         if (error) return callback(error);
 
         let input;
@@ -1726,6 +1893,27 @@ function restoreRedis(app, options, callback) {
     });
 }
 
+function statusTurn(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    docker.inspect('turn', function (error, container) {
+        if (error && error.reason === BoxError.NOT_FOUND) return callback(null, { status: exports.SERVICE_STATUS_STOPPED });
+        if (error) return callback(error);
+
+        docker.memoryUsage(container.Id, function (error, result) {
+            if (error) return callback(error);
+
+            var tmp = {
+                status: container.State.Running ? exports.SERVICE_STATUS_ACTIVE : exports.SERVICE_STATUS_STOPPED,
+                memoryUsed: result.memory_stats.usage,
+                memoryPercent: parseInt(100 * result.memory_stats.usage / result.memory_stats.limit)
+            };
+
+            callback(null, tmp);
+        });
+    });
+}
+
 function statusDocker(callback) {
     assert.strictEqual(typeof callback, 'function');
 
@@ -1820,3 +2008,13 @@ function statusGraphite(callback) {
         });
     });
 }
+
+function teardownOauth(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debugApp(app, 'teardownOauth');
+
+    appdb.unsetAddonConfig(app.id, 'oauth', callback);
+}

src/appdb.js

@@ -40,8 +40,8 @@ var assert = require('assert'),
 
 var APPS_FIELDS_PREFIXED = [ 'apps.id', 'apps.appStoreId', 'apps.installationState', 'apps.errorJson', 'apps.runState',
     'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'subdomains.subdomain AS location', 'subdomains.domain',
-    'apps.accessRestrictionJson', 'apps.memoryLimit',
-    'apps.label', 'apps.tagsJson', 'apps.taskId', 'apps.reverseProxyConfigJson',
+    'apps.accessRestrictionJson', 'apps.memoryLimit', 'apps.cpuShares',
+    'apps.label', 'apps.tagsJson', 'apps.taskId', 'apps.reverseProxyConfigJson', 'apps.servicesConfigJson', 'apps.bindsJson',
     'apps.sso', 'apps.debugModeJson', 'apps.enableBackup',
     'apps.creationTime', 'apps.updateTime', 'apps.mailboxName', 'apps.mailboxDomain', 'apps.enableAutomaticUpdate',
     'apps.dataDir', 'apps.ts', 'apps.healthTime' ].join(',');
@@ -94,6 +94,14 @@ function postProcess(result) {
     result.debugMode = safe.JSON.parse(result.debugModeJson);
     delete result.debugModeJson;
 
+    assert(result.servicesConfigJson === null || typeof result.servicesConfigJson === 'string');
+    result.servicesConfig = safe.JSON.parse(result.servicesConfigJson) || {};
+    delete result.servicesConfigJson;
+
+    assert(result.bindsJson === null || typeof result.bindsJson === 'string');
+    result.binds = safe.JSON.parse(result.bindsJson) || {};
+    delete result.bindsJson;
+
     result.alternateDomains = result.alternateDomains || [];
     result.alternateDomains.forEach(function (d) {
         delete d.appId;
@@ -242,6 +250,7 @@ function add(id, appStoreId, manifest, location, domain, portBindings, data, cal
     const accessRestriction = data.accessRestriction || null;
     const accessRestrictionJson = JSON.stringify(accessRestriction);
     const memoryLimit = data.memoryLimit || 0;
+    const cpuShares = data.cpuShares || 512;
     const installationState = data.installationState;
     const runState = data.runState;
     const sso = 'sso' in data ? data.sso : null;
@@ -256,10 +265,10 @@ function add(id, appStoreId, manifest, location, domain, portBindings, data, cal
     var queries = [];
 
     queries.push({
-        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, runState, accessRestrictionJson, memoryLimit, '
+        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, runState, accessRestrictionJson, memoryLimit, cpuShares, '
             + 'sso, debugModeJson, mailboxName, mailboxDomain, label, tagsJson, reverseProxyConfigJson) '
-            + ' VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
-        args: [ id, appStoreId, manifestJson, installationState, runState, accessRestrictionJson, memoryLimit,
+            + ' VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
+        args: [ id, appStoreId, manifestJson, installationState, runState, accessRestrictionJson, memoryLimit, cpuShares,
             sso, debugModeJson, mailboxName, mailboxDomain, label, tagsJson, reverseProxyConfigJson ]
     });
 
@@ -348,12 +357,13 @@ function del(id, callback) {
         { query: 'DELETE FROM subdomains WHERE appId = ?', args: [ id ] },
         { query: 'DELETE FROM appPortBindings WHERE appId = ?', args: [ id ] },
         { query: 'DELETE FROM appEnvVars WHERE appId = ?', args: [ id ] },
+        { query: 'DELETE FROM appPasswords WHERE identifier = ?', args: [ id ] },
         { query: 'DELETE FROM apps WHERE id = ?', args: [ id ] }
     ];
 
     database.transaction(queries, function (error, results) {
         if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (results[3].affectedRows !== 1) return callback(new BoxError(BoxError.NOT_FOUND, 'App not found'));
+        if (results[4].affectedRows !== 1) return callback(new BoxError(BoxError.NOT_FOUND, 'App not found'));
 
         callback(null);
     });
@@ -425,7 +435,7 @@ function updateWithConstraints(id, app, constraints, callback) {
 
     var fields = [ ], values = [ ];
     for (var p in app) {
-        if (p === 'manifest' || p === 'tags' || p === 'accessRestriction' || p === 'debugMode' || p === 'error' || p === 'reverseProxyConfig') {
+        if (p === 'manifest' || p === 'tags' || p === 'accessRestriction' || p === 'debugMode' || p === 'error' || p === 'reverseProxyConfig' || p === 'servicesConfig' || p === 'binds') {
             fields.push(`${p}Json = ?`);
             values.push(JSON.stringify(app[p]));
         } else if (p !== 'portBindings' && p !== 'location' && p !== 'domain' && p !== 'alternateDomains' && p !== 'env') {

src/apphealthmonitor.js

@@ -186,9 +186,10 @@ function processApp(callback) {
         async.each(result, checkAppHealth, function (error) {
             if (error) console.error(error);
 
-            var alive = result
+            const alive = result
                 .filter(function (a) { return a.installationState === apps.ISTATE_INSTALLED && a.runState === apps.RSTATE_RUNNING && a.health === apps.HEALTH_HEALTHY; })
-                .map(function (a) { return (a.location || 'naked_domain') + '|' + (a.manifest.id || 'customapp'); }).join(', ');
+                .map(a => a.fqdn)
+                .join(', ');
 
             debug('apps alive: [%s]', alive);
 

src/appstore.js

@@ -1,16 +1,22 @@
 'use strict';
 
 exports = module.exports = {
+    getFeatures: getFeatures,
+
     getApps: getApps,
     getApp: getApp,
     getAppVersion: getAppVersion,
 
+    trackBeginSetup: trackBeginSetup,
+    trackFinishedSetup: trackFinishedSetup,
+
     registerWithLoginCredentials: registerWithLoginCredentials,
     registerWithLicense: registerWithLicense,
 
     purchaseApp: purchaseApp,
     unpurchaseApp: unpurchaseApp,
 
+    getUserToken: getUserToken,
     getSubscription: getSubscription,
     isFreePlan: isFreePlan,
 
@@ -27,13 +33,13 @@ var apps = require('./apps.js'),
     async = require('async'),
     BoxError = require('./boxerror.js'),
     constants = require('./constants.js'),
-    custom = require('./custom.js'),
     debug = require('debug')('box:appstore'),
     domains = require('./domains.js'),
     eventlog = require('./eventlog.js'),
     groups = require('./groups.js'),
     mail = require('./mail.js'),
     os = require('os'),
+    paths = require('./paths.js'),
     safe = require('safetydance'),
     semver = require('semver'),
     settings = require('./settings.js'),
@@ -43,6 +49,38 @@ var apps = require('./apps.js'),
 
 const NOOP_CALLBACK = function (error) { if (error) debug(error); };
 
+// These are the default options and will be adjusted once a subscription state is obtained
+// Keep in sync with appstore/routes/cloudrons.js
+let gFeatures = {
+    userMaxCount: null,
+    externalLdap: true,
+    eventLog: true,
+    privateDockerRegistry: true,
+    branding: true,
+    userManager: true,
+    multiAdmin: true,
+    support: true
+};
+
+// attempt to load feature cache in case appstore would be down
+let tmp = safe.JSON.parse(safe.fs.readFileSync(paths.FEATURES_INFO_FILE, 'utf8'));
+if (tmp) gFeatures = tmp;
+
+function getFeatures() {
+    return gFeatures;
+}
+
+function isAppAllowed(appstoreId, listingConfig) {
+    assert.strictEqual(typeof listingConfig, 'object');
+    assert.strictEqual(typeof appstoreId, 'string');
+
+    if (listingConfig.blacklist && listingConfig.blacklist.includes(appstoreId)) return false;
+
+    if (listingConfig.whitelist) return listingConfig.whitelist.includes(appstoreId);
+
+    return true;
+}
+
 function getCloudronToken(callback) {
     assert.strictEqual(typeof callback, 'function');
 
@@ -89,13 +127,32 @@ function registerUser(email, password, callback) {
     const url = settings.apiServerOrigin() + '/api/v1/register_user';
     superagent.post(url).send(data).timeout(30 * 1000).end(function (error, result) {
         if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
-        if (result.statusCode === 409) return callback(new BoxError(BoxError.ALREADY_EXISTS));
+        if (result.statusCode === 409) return callback(new BoxError(BoxError.ALREADY_EXISTS, error.message));
         if (result.statusCode !== 201) return callback(new BoxError(BoxError.EXTERNAL_ERROR, `register status code: ${result.statusCode}`));
 
         callback(null);
     });
 }
 
+function getUserToken(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    if (settings.isDemo()) return callback(new BoxError(BoxError.BAD_FIELD, 'Not allowed in demo mode'));
+
+    getCloudronToken(function (error, token) {
+        if (error) return callback(error);
+
+        const url = `${settings.apiServerOrigin()}/api/v1/user_token`;
+
+        superagent.post(url).send({}).query({ accessToken: token }).timeout(30 * 1000).end(function (error, result) {
+            if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
+            if (result.statusCode !== 201) return callback(new BoxError(BoxError.EXTERNAL_ERROR, `getUserToken status code: ${result.status}`));
+
+            callback(null, result.body.accessToken);
+        });
+    });
+}
+
 function getSubscription(callback) {
     assert.strictEqual(typeof callback, 'function');
 
@@ -110,7 +167,11 @@ function getSubscription(callback) {
             if (result.statusCode === 502) return callback(new BoxError(BoxError.EXTERNAL_ERROR, `Stripe error: ${error.message}`));
             if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, `Unknown error: ${error.message}`));
 
-            callback(null, result.body); // { email, subscription }
+            // update the features cache
+            gFeatures = result.body.features;
+            safe.fs.writeFileSync(paths.FEATURES_INFO_FILE, JSON.stringify(gFeatures), 'utf8');
+
+            callback(null, result.body);
         });
     });
 }
@@ -279,7 +340,8 @@ function sendAliveStatus(callback) {
     });
 }
 
-function getBoxUpdate(callback) {
+function getBoxUpdate(options, callback) {
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     getCloudronToken(function (error, token) {
@@ -287,7 +349,13 @@ function getBoxUpdate(callback) {
 
         const url = `${settings.apiServerOrigin()}/api/v1/boxupdate`;
 
-        superagent.get(url).query({ accessToken: token, boxVersion: constants.VERSION }).timeout(10 * 1000).end(function (error, result) {
+        const query = {
+            accessToken: token,
+            boxVersion: constants.VERSION,
+            automatic: options.automatic
+        };
+
+        superagent.get(url).query(query).timeout(10 * 1000).end(function (error, result) {
             if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
             if (result.statusCode === 401) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
             if (result.statusCode === 422) return callback(new BoxError(BoxError.LICENSE_ERROR, result.body.message));
@@ -313,16 +381,24 @@ function getBoxUpdate(callback) {
     });
 }
 
-function getAppUpdate(app, callback) {
+function getAppUpdate(app, options, callback) {
     assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     getCloudronToken(function (error, token) {
         if (error) return callback(error);
 
         const url = `${settings.apiServerOrigin()}/api/v1/appupdate`;
+        const query = {
+            accessToken: token,
+            boxVersion: constants.VERSION,
+            appId: app.appStoreId,
+            appVersion: app.manifest.version,
+            automatic: options.automatic
+        };
 
-        superagent.get(url).query({ accessToken: token, boxVersion: constants.VERSION, appId: app.appStoreId, appVersion: app.manifest.version }).timeout(10 * 1000).end(function (error, result) {
+        superagent.get(url).query(query).timeout(10 * 1000).end(function (error, result) {
             if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error));
             if (result.statusCode === 401) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
             if (result.statusCode === 422) return callback(new BoxError(BoxError.LICENSE_ERROR, result.body.message));
@@ -354,7 +430,7 @@ function registerCloudron(data, callback) {
 
     superagent.post(url).send(data).timeout(30 * 1000).end(function (error, result) {
         if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
-        if (result.statusCode !== 201) return callback(new BoxError(BoxError.EXTERNAL_ERROR, `Unable to register cloudron: ${error.message}`));
+        if (result.statusCode !== 201) return callback(new BoxError(BoxError.EXTERNAL_ERROR, `Unable to register cloudron: ${result.statusCode} ${error.message}`));
 
         // cloudronId, token, licenseKey
         if (!result.body.cloudronId) return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'Invalid response - no cloudron id'));
@@ -375,13 +451,42 @@ function registerCloudron(data, callback) {
     });
 }
 
+// This works without a Cloudron token as this Cloudron was not yet registered
+let gBeginSetupAlreadyTracked = false;
+function trackBeginSetup(provider) {
+    assert.strictEqual(typeof provider, 'string');
+
+    // avoid browser reload double tracking, not perfect since box might restart, but covers most cases and is simple
+    if (gBeginSetupAlreadyTracked) return;
+    gBeginSetupAlreadyTracked = true;
+
+    const url = `${settings.apiServerOrigin()}/api/v1/helper/setup_begin`;
+
+    superagent.post(url).send({ provider }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return console.error(error.message);
+        if (result.statusCode !== 200) return console.error(error.message);
+    });
+}
+
+// This works without a Cloudron token as this Cloudron was not yet registered
+function trackFinishedSetup(domain) {
+    assert.strictEqual(typeof domain, 'string');
+
+    const url = `${settings.apiServerOrigin()}/api/v1/helper/setup_finished`;
+
+    superagent.post(url).send({ domain }).timeout(30 * 1000).end(function (error, result) {
+        if (error && !error.response) return console.error(error.message);
+        if (result.statusCode !== 200) return console.error(error.message);
+    });
+}
+
 function registerWithLicense(license, domain, callback) {
     assert.strictEqual(typeof license, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
     getCloudronToken(function (error, token) {
-        if (token) return callback(new BoxError(BoxError.CONFLICT));
+        if (token) return callback(new BoxError(BoxError.CONFLICT, 'Cloudron is already registered'));
 
         const provider = settings.provider();
         const version = constants.VERSION;
@@ -401,7 +506,7 @@ function registerWithLoginCredentials(options, callback) {
     }
 
     getCloudronToken(function (error, token) {
-        if (token) return callback(new BoxError(BoxError.CONFLICT));
+        if (token) return callback(new BoxError(BoxError.CONFLICT, 'Cloudron is already registered'));
 
         maybeSignup(function (error) {
             if (error) return callback(error);
@@ -409,19 +514,20 @@ function registerWithLoginCredentials(options, callback) {
             login(options.email, options.password, options.totpToken || '', function (error, result) {
                 if (error) return callback(error);
 
-                registerCloudron({ domain: settings.adminDomain(), accessToken: result.accessToken, provider: settings.provider(), version: constants.VERSION }, callback);
+                registerCloudron({ domain: settings.adminDomain(), accessToken: result.accessToken, provider: settings.provider(), version: constants.VERSION, purpose: options.purpose || '' }, callback);
             });
         });
     });
 }
 
-function createTicket(info, callback) {
+function createTicket(info, auditSource, callback) {
     assert.strictEqual(typeof info, 'object');
     assert.strictEqual(typeof info.email, 'string');
     assert.strictEqual(typeof info.displayName, 'string');
     assert.strictEqual(typeof info.type, 'string');
     assert.strictEqual(typeof info.subject, 'string');
     assert.strictEqual(typeof info.description, 'string');
+    assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     function collectAppInfoIfNeeded(callback) {
@@ -438,7 +544,7 @@ function createTicket(info, callback) {
 
             let url = settings.apiServerOrigin() + '/api/v1/ticket';
 
-            info.supportEmail = custom.spec().support.email; // destination address for tickets
+            info.supportEmail = constants.SUPPORT_EMAIL; // destination address for tickets
 
             superagent.post(url).query({ accessToken: token }).send(info).timeout(10 * 1000).end(function (error, result) {
                 if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
@@ -446,7 +552,9 @@ function createTicket(info, callback) {
                 if (result.statusCode === 422) return callback(new BoxError(BoxError.LICENSE_ERROR, result.body.message));
                 if (result.statusCode !== 201) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
 
-                callback(null);
+                eventlog.add(eventlog.ACTION_SUPPORT_TICKET, auditSource, info);
+
+                callback(null, { message: `An email for sent to ${constants.SUPPORT_EMAIL}. We will get back shortly!` });
             });
         });
     });
@@ -469,7 +577,13 @@ function getApps(callback) {
                 if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('App listing failed. %s %j', result.status, result.body)));
                 if (!result.body.apps) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('Bad response: %s %s', result.statusCode, result.text)));
 
-                callback(null, result.body.apps);
+                settings.getAppstoreListingConfig(function (error, listingConfig) {
+                    if (error) return callback(error);
+
+                    const filteredApps = result.body.apps.filter(app => isAppAllowed(app.id, listingConfig));
+
+                    callback(null, filteredApps);
+                });
             });
         });
     });
@@ -480,20 +594,26 @@ function getAppVersion(appId, version, callback) {
     assert.strictEqual(typeof version, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    getCloudronToken(function (error, token) {
+    settings.getAppstoreListingConfig(function (error, listingConfig) {
         if (error) return callback(error);
 
-        let url = `${settings.apiServerOrigin()}/api/v1/apps/${appId}`;
-        if (version !== 'latest') url += `/versions/${version}`;
+        if (!isAppAllowed(appId, listingConfig)) return callback(new BoxError(BoxError.FEATURE_DISABLED));
 
-        superagent.get(url).query({ accessToken: token }).timeout(10 * 1000).end(function (error, result) {
-            if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
-            if (result.statusCode === 403 || result.statusCode === 401) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
-            if (result.statusCode === 404) return callback(new BoxError(BoxError.NOT_FOUND));
-            if (result.statusCode === 422) return callback(new BoxError(BoxError.LICENSE_ERROR, result.body.message));
-            if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('App fetch failed. %s %j', result.status, result.body)));
+        getCloudronToken(function (error, token) {
+            if (error) return callback(error);
 
-            callback(null, result.body);
+            let url = `${settings.apiServerOrigin()}/api/v1/apps/${appId}`;
+            if (version !== 'latest') url += `/versions/${version}`;
+
+            superagent.get(url).query({ accessToken: token }).timeout(10 * 1000).end(function (error, result) {
+                if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
+                if (result.statusCode === 403 || result.statusCode === 401) return callback(new BoxError(BoxError.INVALID_CREDENTIALS));
+                if (result.statusCode === 404) return callback(new BoxError(BoxError.NOT_FOUND));
+                if (result.statusCode === 422) return callback(new BoxError(BoxError.LICENSE_ERROR, result.body.message));
+                if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('App fetch failed. %s %j', result.status, result.body)));
+
+                callback(null, result.body);
+            });
         });
     });
 }

src/apptask.js

@@ -27,6 +27,7 @@ var addons = require('./addons.js'),
     auditSource = require('./auditsource.js'),
     backups = require('./backups.js'),
     BoxError = require('./boxerror.js'),
+    collectd = require('./collectd.js'),
     constants = require('./constants.js'),
     debug = require('debug')('box:apptask'),
     df = require('@sindresorhus/df'),
@@ -51,8 +52,7 @@ var addons = require('./addons.js'),
     util = require('util'),
     _ = require('underscore');
 
-const COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }),
-    CONFIGURE_COLLECTD_CMD = path.join(__dirname, 'scripts/configurecollectd.sh'),
+const COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd/app.ejs', { encoding: 'utf8' }),
     MV_VOLUME_CMD = path.join(__dirname, 'scripts/mvvolume.sh'),
     LOGROTATE_CONFIG_EJS = fs.readFileSync(__dirname + '/logrotate.ejs', { encoding: 'utf8' }),
     CONFIGURE_LOGROTATE_CMD = path.join(__dirname, 'scripts/configurelogrotate.sh');
@@ -229,29 +229,14 @@ function addCollectdProfile(app, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     var collectdConf = ejs.render(COLLECTD_CONFIG_EJS, { appId: app.id, containerId: app.containerId, appDataDir: apps.getDataDir(app, app.dataDir) });
-    fs.writeFile(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), collectdConf, function (error) {
-        if (error) return callback(new BoxError(BoxError.FS_ERROR, `Error writing collectd config: ${error.message}`));
-
-        shell.sudo('addCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'add', app.id ], {}, function (error) {
-            if (error) return callback(new BoxError(BoxError.COLLECTD_ERROR, 'Could not add collectd config'));
-
-            callback(null);
-        });
-    });
+    collectd.addProfile(app.id, collectdConf, callback);
 }
 
 function removeCollectdProfile(app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    fs.unlink(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), function (error) {
-        if (error && error.code !== 'ENOENT') debugApp(app, 'Error removing collectd profile', error);
-        shell.sudo('removeCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'remove', app.id ], {}, function (error) {
-            if (error) return callback(new BoxError(BoxError.COLLECTD_ERROR, 'Could not remove collectd config'));
-
-            callback(null);
-        });
-    });
+    collectd.removeProfile(app.id, callback);
 }
 
 function addLogrotateConfig(app, callback) {
@@ -446,12 +431,12 @@ function waitForDnsPropagation(app, callback) {
     sysinfo.getServerIp(function (error, ip) {
         if (error) return callback(new BoxError(BoxError.NETWORK_ERROR, `Error getting public IP: ${error.message}`));
 
-        domains.waitForDnsRecord(app.location, app.domain, 'A', ip, { interval: 5000, times: 240 }, function (error) {
+        domains.waitForDnsRecord(app.location, app.domain, 'A', ip, { times: 240 }, function (error) {
             if (error) return callback(new BoxError(BoxError.DNS_ERROR, `DNS Record is not synced yet: ${error.message}`, { ip: ip, subdomain: app.location, domain: app.domain }));
 
             // now wait for alternateDomains, if any
             async.eachSeries(app.alternateDomains, function (domain, iteratorCallback) {
-                domains.waitForDnsRecord(domain.subdomain, domain.domain, 'A', ip, { interval: 5000, times: 240 }, function (error) {
+                domains.waitForDnsRecord(domain.subdomain, domain.domain, 'A', ip, { times: 240 }, function (error) {
                     if (error) return callback(new BoxError(BoxError.DNS_ERROR, `DNS Record is not synced yet: ${error.message}`, { ip: ip, subdomain: domain.subdomain, domain: domain.domain }));
 
                     iteratorCallback();
@@ -791,9 +776,6 @@ function configure(app, args, progressCallback, callback) {
 
         startApp.bind(null, app),
 
-        progressCallback.bind(null, { percent: 80, message: 'Waiting for DNS propagation' }),
-        exports._waitForDnsPropagation.bind(null, app),
-
         progressCallback.bind(null, { percent: 90, message: 'Configuring reverse proxy' }),
         configureReverseProxy.bind(null, app),
 
@@ -825,7 +807,7 @@ function update(app, args, progressCallback, callback) {
     async.series([
         // this protects against the theoretical possibility of an app being marked for update from
         // a previous version of box code
-        progressCallback.bind(null, { percent: 0, message: 'Verify manifest' }),
+        progressCallback.bind(null, { percent: 5, message: 'Verify manifest' }),
         verifyManifest.bind(null, updateConfig.manifest),
 
         function (next) {
@@ -917,9 +899,16 @@ function start(app, args, progressCallback, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     async.series([
-        progressCallback.bind(null, { percent: 20, message: 'Starting container' }),
+        progressCallback.bind(null, { percent: 10, message: 'Starting app services' }),
+        addons.startAppServices.bind(null, app),
+
+        progressCallback.bind(null, { percent: 35, message: 'Starting container' }),
         docker.startContainer.bind(null, app.id),
 
+        // stopped apps do not renew certs. currently, we don't do DNS to not overwrite existing user settings
+        progressCallback.bind(null, { percent: 60, message: 'Configuring reverse proxy' }),
+        configureReverseProxy.bind(null, app),
+
         progressCallback.bind(null, { percent: 100, message: 'Done' }),
         updateApp.bind(null, app, { installationState: apps.ISTATE_INSTALLED, error: null, health: null })
     ], function seriesDone(error) {
@@ -941,6 +930,30 @@ function stop(app, args, progressCallback, callback) {
         progressCallback.bind(null, { percent: 20, message: 'Stopping container' }),
         docker.stopContainers.bind(null, app.id),
 
+        progressCallback.bind(null, { percent: 50, message: 'Stopping app services' }),
+        addons.stopAppServices.bind(null, app),
+
+        progressCallback.bind(null, { percent: 100, message: 'Done' }),
+        updateApp.bind(null, app, { installationState: apps.ISTATE_INSTALLED, error: null, health: null })
+    ], function seriesDone(error) {
+        if (error) {
+            debugApp(app, 'error starting app: %s', error);
+            return updateApp(app, { installationState: apps.ISTATE_ERROR, error: makeTaskError(error, app) }, callback.bind(null, error));
+        }
+        callback(null);
+    });
+}
+
+function restart(app, args, progressCallback, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof args, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
+    assert.strictEqual(typeof callback, 'function');
+
+    async.series([
+        progressCallback.bind(null, { percent: 20, message: 'Restarting container' }),
+        docker.restartContainer.bind(null, app.id),
+
         progressCallback.bind(null, { percent: 100, message: 'Done' }),
         updateApp.bind(null, app, { installationState: apps.ISTATE_INSTALLED, error: null, health: null })
     ], function seriesDone(error) {
@@ -1029,6 +1042,8 @@ function run(appId, args, progressCallback, callback) {
             return start(app, args, progressCallback, callback);
         case apps.ISTATE_PENDING_STOP:
             return stop(app, args, progressCallback, callback);
+        case apps.ISTATE_PENDING_RESTART:
+            return restart(app, args, progressCallback, callback);
         default:
             debugApp(app, 'apptask launched with invalid command');
             return callback(new BoxError(BoxError.INTERNAL_ERROR, 'Unknown install command in apptask:' + app.installationState));

src/apptaskmanager.js

@@ -48,7 +48,7 @@ function scheduleTask(appId, taskId, callback) {
 
     if (Object.keys(gActiveTasks).length >= TASK_CONCURRENCY) {
         debug(`Reached concurrency limit, queueing task id ${taskId}`);
-        tasks.update(taskId, { percent: 0, message: 'Waiting for other app tasks to complete' }, NOOP_CALLBACK);
+        tasks.update(taskId, { percent: 1, message: 'Waiting for other app tasks to complete' }, NOOP_CALLBACK);
         gPendingTasks.push({ appId, taskId, callback });
         return;
     }
@@ -57,7 +57,7 @@ function scheduleTask(appId, taskId, callback) {
 
     if (lockError) {
         debug(`Could not get lock. ${lockError.message}, queueing task id ${taskId}`);
-        tasks.update(taskId, { percent: 0, message: waitText(lockError.operation) }, NOOP_CALLBACK);
+        tasks.update(taskId, { percent: 1, message: waitText(lockError.operation) }, NOOP_CALLBACK);
         gPendingTasks.push({ appId, taskId, callback });
         return;
     }

src/authcodedb.js

@@ -1,78 +0,0 @@
-/* jslint node:true */
-
-'use strict';
-
-exports = module.exports = {
-    get: get,
-    add: add,
-    del: del,
-    delExpired: delExpired,
-
-    _clear: clear
-};
-
-var assert = require('assert'),
-    BoxError = require('./boxerror.js'),
-    database = require('./database.js');
-
-var AUTHCODES_FIELDS = [ 'authCode', 'userId', 'clientId', 'expiresAt' ].join(',');
-
-function get(authCode, callback) {
-    assert.strictEqual(typeof authCode, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('SELECT ' + AUTHCODES_FIELDS + ' FROM authcodes WHERE authCode = ? AND expiresAt > ?', [ authCode, Date.now() ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.length === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'Authcode not found'));
-
-        callback(null, result[0]);
-    });
-}
-
-function add(authCode, clientId, userId, expiresAt, callback) {
-    assert.strictEqual(typeof authCode, 'string');
-    assert.strictEqual(typeof clientId, 'string');
-    assert.strictEqual(typeof userId, 'string');
-    assert.strictEqual(typeof expiresAt, 'number');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('INSERT INTO authcodes (authCode, clientId, userId, expiresAt) VALUES (?, ?, ?, ?)',
-        [ authCode, clientId, userId, expiresAt ], function (error, result) {
-            if (error && error.code === 'ER_DUP_ENTRY') return callback(new BoxError(BoxError.ALREADY_EXISTS));
-            if (error || result.affectedRows !== 1) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-            callback(null);
-        });
-}
-
-function del(authCode, callback) {
-    assert.strictEqual(typeof authCode, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('DELETE FROM authcodes WHERE authCode = ?', [ authCode ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.affectedRows !== 1) return callback(new BoxError(BoxError.NOT_FOUND, 'Authcode not found'));
-
-        callback(null);
-    });
-}
-
-function delExpired(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('DELETE FROM authcodes WHERE expiresAt <= ?', [ Date.now() ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        return callback(null, result.affectedRows);
-    });
-}
-
-function clear(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('DELETE FROM authcodes', function (error) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null);
-    });
-}
-

src/backupdb.js

@@ -6,7 +6,7 @@ var assert = require('assert'),
     safe = require('safetydance'),
     util = require('util');
 
-var BACKUPS_FIELDS = [ 'id', 'creationTime', 'version', 'type', 'dependsOn', 'state', 'manifestJson', 'format', 'preserveSecs' ];
+var BACKUPS_FIELDS = [ 'id', 'creationTime', 'packageVersion', 'type', 'dependsOn', 'state', 'manifestJson', 'format', 'preserveSecs', 'encryptionVersion' ];
 
 exports = module.exports = {
     add: add,
@@ -106,7 +106,8 @@ function get(id, callback) {
 function add(id, data, callback) {
     assert(data && typeof data === 'object');
     assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof data.version, 'string');
+    assert(data.encryptionVersion === null || typeof data.encryptionVersion === 'number');
+    assert.strictEqual(typeof data.packageVersion, 'string');
     assert(data.type === exports.BACKUP_TYPE_APP || data.type === exports.BACKUP_TYPE_BOX);
     assert(util.isArray(data.dependsOn));
     assert.strictEqual(typeof data.manifest, 'object');
@@ -116,8 +117,8 @@ function add(id, data, callback) {
     var creationTime = data.creationTime || new Date(); // allow tests to set the time
     var manifestJson = JSON.stringify(data.manifest);
 
-    database.query('INSERT INTO backups (id, version, type, creationTime, state, dependsOn, manifestJson, format) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
-        [ id, data.version, data.type, creationTime, exports.BACKUP_STATE_NORMAL, data.dependsOn.join(','), manifestJson, data.format ],
+    database.query('INSERT INTO backups (id, encryptionVersion, packageVersion, type, creationTime, state, dependsOn, manifestJson, format) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)',
+        [ id, data.encryptionVersion, data.packageVersion, data.type, creationTime, exports.BACKUP_STATE_NORMAL, data.dependsOn.join(','), manifestJson, data.format ],
         function (error) {
             if (error && error.code === 'ER_DUP_ENTRY') return callback(new BoxError(BoxError.ALREADY_EXISTS));
             if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));

src/backups.js

@@ -30,12 +30,15 @@ exports = module.exports = {
 
     checkConfiguration: checkConfiguration,
 
-    SECRET_PLACEHOLDER: String.fromCharCode(0x25CF).repeat(8),
+    configureCollectd: configureCollectd,
+
+    generateEncryptionKeysSync: generateEncryptionKeysSync,
 
     // for testing
     _getBackupFilePath: getBackupFilePath,
     _restoreFsMetadata: restoreFsMetadata,
-    _saveFsMetadata: saveFsMetadata
+    _saveFsMetadata: saveFsMetadata,
+    _applyBackupRetentionPolicy: applyBackupRetentionPolicy
 };
 
 var addons = require('./addons.js'),
@@ -44,15 +47,18 @@ var addons = require('./addons.js'),
     assert = require('assert'),
     backupdb = require('./backupdb.js'),
     BoxError = require('./boxerror.js'),
+    collectd = require('./collectd.js'),
     constants = require('./constants.js'),
     crypto = require('crypto'),
     database = require('./database.js'),
     DataLayout = require('./datalayout.js'),
     debug = require('debug')('box:backups'),
     df = require('@sindresorhus/df'),
+    ejs = require('ejs'),
     eventlog = require('./eventlog.js'),
     fs = require('fs'),
     locker = require('./locker.js'),
+    moment = require('moment'),
     mkdirp = require('mkdirp'),
     once = require('once'),
     path = require('path'),
@@ -65,10 +71,12 @@ var addons = require('./addons.js'),
     syncer = require('./syncer.js'),
     tar = require('tar-fs'),
     tasks = require('./tasks.js'),
+    TransformStream = require('stream').Transform,
     util = require('util'),
     zlib = require('zlib');
 
 const BACKUP_UPLOAD_CMD = path.join(__dirname, 'scripts/backupupload.js');
+const COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd/cloudron-backup.ejs', { encoding: 'utf8' });
 
 function debugApp(app) {
     assert(typeof app === 'object');
@@ -88,19 +96,31 @@ function api(provider) {
     case 'exoscale-sos': return require('./storage/s3.js');
     case 'wasabi': return require('./storage/s3.js');
     case 'scaleway-objectstorage': return require('./storage/s3.js');
+    case 'linode-objectstorage': return require('./storage/s3.js');
+    case 'ovh-objectstorage': return require('./storage/s3.js');
     case 'noop': return require('./storage/noop.js');
     default: return null;
     }
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.key === exports.SECRET_PLACEHOLDER) newConfig.key = currentConfig.key;
+    if ('password' in newConfig) {
+        if (newConfig.password === constants.SECRET_PLACEHOLDER) {
+            delete newConfig.password;
+        }
+        newConfig.encryption = currentConfig.encryption || null;
+    } else {
+        newConfig.encryption = null;
+    }
     if (newConfig.provider === currentConfig.provider) api(newConfig.provider).injectPrivateFields(newConfig, currentConfig);
 }
 
 function removePrivateFields(backupConfig) {
     assert.strictEqual(typeof backupConfig, 'object');
-    if (backupConfig.key) backupConfig.key = exports.SECRET_PLACEHOLDER;
+    if (backupConfig.encryption) {
+        delete backupConfig.encryption;
+        backupConfig.password = constants.SECRET_PLACEHOLDER;
+    }
     return api(backupConfig.provider).removePrivateFields(backupConfig);
 }
 
@@ -114,12 +134,25 @@ function testConfig(backupConfig, callback) {
     if (backupConfig.format !== 'tgz' && backupConfig.format !== 'rsync') return callback(new BoxError(BoxError.BAD_FIELD, 'unknown format', { field: 'format' }));
 
     // remember to adjust the cron ensureBackup task interval accordingly
-    if (backupConfig.intervalSecs < 6 * 60 * 60) return callback(new BoxError(BoxError.BAD_FIELD, 'Interval must be atleast 6 hours', { field: 'interval' }));
+    if (backupConfig.intervalSecs < 6 * 60 * 60) return callback(new BoxError(BoxError.BAD_FIELD, 'Interval must be atleast 6 hours', { field: 'intervalSecs' }));
+
+    if ('password' in backupConfig) {
+        if (typeof backupConfig.password !== 'string') return callback(new BoxError(BoxError.BAD_FIELD, 'password must be a string', { field: 'password' }));
+        if (backupConfig.password.length < 8) return callback(new BoxError(BoxError.BAD_FIELD, 'password must be atleast 8 characters', { field: 'password' }));
+    }
+
+    const policy = backupConfig.retentionPolicy;
+    if (!policy) return callback(new BoxError(BoxError.BAD_FIELD, 'retentionPolicy is required', { field: 'retentionPolicy' }));
+    if ('keepWithinSecs' in policy && typeof policy.keepWithinSecs !== 'number') return callback(new BoxError(BoxError.BAD_FIELD, 'keepWithinSecs must be a number', { field: 'retentionPolicy' }));
+    if ('keepDaily' in policy && typeof policy.keepDaily !== 'number') return callback(new BoxError(BoxError.BAD_FIELD, 'keepDaily must be a number', { field: 'retentionPolicy' }));
+    if ('keepWeekly' in policy && typeof policy.keepWeekly !== 'number') return callback(new BoxError(BoxError.BAD_FIELD, 'keepWeekly must be a number', { field: 'retentionPolicy' }));
+    if ('keepMonthly' in policy && typeof policy.keepMonthly !== 'number') return callback(new BoxError(BoxError.BAD_FIELD, 'keepMonthly must be a number', { field: 'retentionPolicy' }));
+    if ('keepYearly' in policy && typeof policy.keepYearly !== 'number') return callback(new BoxError(BoxError.BAD_FIELD, 'keepYearly must be a number', { field: 'retentionPolicy' }));
 
     api(backupConfig.provider).testConfig(backupConfig, callback);
 }
 
-
+// this skips password check since that policy is only at creation time
 function testProviderConfig(backupConfig, callback) {
     assert.strictEqual(typeof backupConfig, 'object');
     assert.strictEqual(typeof callback, 'function');
@@ -130,6 +163,18 @@ function testProviderConfig(backupConfig, callback) {
     api(backupConfig.provider).testConfig(backupConfig, callback);
 }
 
+function generateEncryptionKeysSync(password) {
+    assert.strictEqual(typeof password, 'string');
+
+    const aesKeys = crypto.scryptSync(password, Buffer.from('CLOUDRONSCRYPTSALT', 'utf8'), 128);
+    return {
+        dataKey: aesKeys.slice(0, 32).toString('hex'),
+        dataHmacKey: aesKeys.slice(32, 64).toString('hex'),
+        filenameKey: aesKeys.slice(64, 96).toString('hex'),
+        filenameHmacKey: aesKeys.slice(96).toString('hex')
+    };
+}
+
 function getByStatePaged(state, page, perPage, callback) {
     assert.strictEqual(typeof state, 'string');
     assert(typeof page === 'number' && page > 0);
@@ -173,21 +218,23 @@ function getBackupFilePath(backupConfig, backupId, format) {
     assert.strictEqual(typeof format, 'string');
 
     if (format === 'tgz') {
-        const fileType = backupConfig.key ? '.tar.gz.enc' : '.tar.gz';
+        const fileType = backupConfig.encryption ? '.tar.gz.enc' : '.tar.gz';
         return path.join(backupConfig.prefix || backupConfig.backupFolder || '', backupId+fileType);
     } else {
         return path.join(backupConfig.prefix || backupConfig.backupFolder || '', backupId);
     }
 }
 
-function encryptFilePath(filePath, key) {
+function encryptFilePath(filePath, encryption) {
     assert.strictEqual(typeof filePath, 'string');
-    assert.strictEqual(typeof key, 'string');
+    assert.strictEqual(typeof encryption, 'object');
 
     var encryptedParts = filePath.split('/').map(function (part) {
-        const cipher = crypto.createCipher('aes-256-cbc', key);
+        let hmac = crypto.createHmac('sha256', Buffer.from(encryption.filenameHmacKey, 'hex'));
+        const iv = hmac.update(part).digest().slice(0, 16); // iv has to be deterministic, for our sync (copy) logic to work
+        const cipher = crypto.createCipheriv('aes-256-cbc', Buffer.from(encryption.filenameKey, 'hex'), iv);
         let crypt = cipher.update(part);
-        crypt = Buffer.concat([ crypt, cipher.final() ]);
+        crypt = Buffer.concat([ iv, crypt, cipher.final() ]);
 
         return crypt.toString('base64')     // ensures path is valid
             .replace(/\//g, '-')            // replace '/' of base64 since it conflicts with path separator
@@ -197,9 +244,9 @@ function encryptFilePath(filePath, key) {
     return encryptedParts.join('/');
 }
 
-function decryptFilePath(filePath, key) {
+function decryptFilePath(filePath, encryption) {
     assert.strictEqual(typeof filePath, 'string');
-    assert.strictEqual(typeof key, 'string');
+    assert.strictEqual(typeof encryption, 'object');
 
     let decryptedParts = [];
     for (let part of filePath.split('/')) {
@@ -207,61 +254,172 @@ function decryptFilePath(filePath, key) {
         part = part.replace(/-/g, '/');                 // replace with '/'
 
         try {
-            let decrypt = crypto.createDecipher('aes-256-cbc', key);
-            let text = decrypt.update(Buffer.from(part, 'base64'));
-            text = Buffer.concat([ text, decrypt.final() ]);
-            decryptedParts.push(text.toString('utf8'));
+            const buffer = Buffer.from(part, 'base64');
+            const iv = buffer.slice(0, 16);
+            let decrypt = crypto.createDecipheriv('aes-256-cbc', Buffer.from(encryption.filenameKey, 'hex'), iv);
+            const plainText = decrypt.update(buffer.slice(16));
+            const plainTextString = Buffer.concat([ plainText, decrypt.final() ]).toString('utf8');
+            const hmac = crypto.createHmac('sha256', Buffer.from(encryption.filenameHmacKey, 'hex'));
+            if (!hmac.update(plainTextString).digest().slice(0, 16).equals(iv)) return { error: new BoxError(BoxError.CRYPTO_ERROR, `mac error decrypting part ${part} of path ${filePath}`) };
+
+            decryptedParts.push(plainTextString);
         } catch (error) {
-            debug(`Error decrypting file ${filePath} part ${part}:`, error);
-            return null;
+            debug(`Error decrypting part ${part} of path ${filePath}:`, error);
+            return { error: new BoxError(BoxError.CRYPTO_ERROR, `Error decrypting part ${part} of path ${filePath}: ${error.message}`) };
         }
     }
 
-    return decryptedParts.join('/');
+    return { result: decryptedParts.join('/') };
 }
 
-function createReadStream(sourceFile, key) {
+class EncryptStream extends TransformStream {
+    constructor(encryption) {
+        super();
+        this._headerPushed = false;
+        this._iv = crypto.randomBytes(16);
+        this._cipher = crypto.createCipheriv('aes-256-cbc', Buffer.from(encryption.dataKey, 'hex'), this._iv);
+        this._hmac = crypto.createHmac('sha256', Buffer.from(encryption.dataHmacKey, 'hex'));
+    }
+
+    pushHeaderIfNeeded() {
+        if (!this._headerPushed) {
+            const magic = Buffer.from('CBV2');
+            this.push(magic);
+            this._hmac.update(magic);
+            this.push(this._iv);
+            this._hmac.update(this._iv);
+            this._headerPushed = true;
+        }
+    }
+
+    _transform(chunk, ignoredEncoding, callback) {
+        this.pushHeaderIfNeeded();
+
+        try {
+            const crypt = this._cipher.update(chunk);
+            this._hmac.update(crypt);
+            callback(null, crypt);
+        } catch (error) {
+            callback(error);
+        }
+    }
+
+    _flush(callback) {
+        try {
+            this.pushHeaderIfNeeded(); // for 0-length files
+            const crypt = this._cipher.final();
+            this.push(crypt);
+            this._hmac.update(crypt);
+            callback(null, this._hmac.digest()); // +32 bytes
+        } catch (error) {
+            callback(error);
+        }
+    }
+}
+
+class DecryptStream extends TransformStream {
+    constructor(encryption) {
+        super();
+        this._key = Buffer.from(encryption.dataKey, 'hex');
+        this._header = Buffer.alloc(0);
+        this._decipher = null;
+        this._hmac = crypto.createHmac('sha256', Buffer.from(encryption.dataHmacKey, 'hex'));
+        this._buffer = Buffer.alloc(0);
+    }
+
+    _transform(chunk, ignoredEncoding, callback) {
+        const needed = 20 - this._header.length; // 4 for magic, 16 for iv
+
+        if (this._header.length !== 20) { // not gotten header yet
+            this._header = Buffer.concat([this._header, chunk.slice(0, needed)]);
+            if (this._header.length !== 20) return callback();
+
+            if (!this._header.slice(0, 4).equals(new Buffer.from('CBV2'))) return callback(new BoxError(BoxError.CRYPTO_ERROR, 'Invalid magic in header'));
+
+            const iv = this._header.slice(4);
+            this._decipher = crypto.createDecipheriv('aes-256-cbc', this._key, iv);
+            this._hmac.update(this._header);
+        }
+
+        this._buffer = Buffer.concat([ this._buffer, chunk.slice(needed) ]);
+        if (this._buffer.length < 32) return callback(); // hmac trailer length is 32
+
+        try {
+            const cipherText = this._buffer.slice(0, -32);
+            this._hmac.update(cipherText);
+            const plainText = this._decipher.update(cipherText);
+            this._buffer = this._buffer.slice(-32);
+            callback(null, plainText);
+        } catch (error) {
+            callback(error);
+        }
+    }
+
+    _flush (callback) {
+        if (this._buffer.length !== 32) return callback(new BoxError(BoxError.CRYPTO_ERROR, 'Invalid password or tampered file (not enough data)'));
+
+        try {
+            if (!this._hmac.digest().equals(this._buffer)) return callback(new BoxError(BoxError.CRYPTO_ERROR, 'Invalid password or tampered file (mac mismatch)'));
+
+            const plainText = this._decipher.final();
+            callback(null, plainText);
+        } catch (error) {
+            callback(error);
+        }
+    }
+}
+
+function createReadStream(sourceFile, encryption) {
     assert.strictEqual(typeof sourceFile, 'string');
-    assert(key === null || typeof key === 'string');
+    assert.strictEqual(typeof encryption, 'object');
 
     var stream = fs.createReadStream(sourceFile);
     var ps = progressStream({ time: 10000 }); // display a progress every 10 seconds
 
     stream.on('error', function (error) {
-        debug('createReadStream: read stream error.', error);
-        ps.emit('error', new BoxError(BoxError.FS_ERROR, error.message));
+        debug(`createReadStream: read stream error at ${sourceFile}`, error);
+        ps.emit('error', new BoxError(BoxError.FS_ERROR, `Error reading ${sourceFile}: ${error.message}`));
     });
 
-    if (key !== null) {
-        var encrypt = crypto.createCipher('aes-256-cbc', key);
-        encrypt.on('error', function (error) {
-            debug('createReadStream: encrypt stream error.', error);
-            ps.emit('error', new BoxError(BoxError.CRYPTO_ERROR, error.message));
+    if (encryption) {
+        let encryptStream = new EncryptStream(encryption);
+
+        encryptStream.on('error', function (error) {
+            debug(`createReadStream: encrypt stream error ${sourceFile}`, error);
+            ps.emit('error', new BoxError(BoxError.CRYPTO_ERROR, `Encryption error at ${sourceFile}: ${error.message}`));
         });
-        return stream.pipe(encrypt).pipe(ps);
+
+        return stream.pipe(encryptStream).pipe(ps);
     } else {
         return stream.pipe(ps);
     }
 }
 
-function createWriteStream(destFile, key) {
+function createWriteStream(destFile, encryption) {
     assert.strictEqual(typeof destFile, 'string');
-    assert(key === null || typeof key === 'string');
+    assert.strictEqual(typeof encryption, 'object');
 
     var stream = fs.createWriteStream(destFile);
     var ps = progressStream({ time: 10000 }); // display a progress every 10 seconds
 
     stream.on('error', function (error) {
-        debug('createWriteStream: write stream error.', error);
-        ps.emit('error', new BoxError(BoxError.FS_ERROR, error.message));
+        debug(`createWriteStream: write stream error ${destFile}`, error);
+        ps.emit('error', new BoxError(BoxError.FS_ERROR, `Write error ${destFile}: ${error.message}`));
     });
 
-    if (key !== null) {
-        var decrypt = crypto.createDecipher('aes-256-cbc', key);
+    stream.on('finish', function () {
+        debug('createWriteStream: done.');
+        // we use a separate event because ps is a through2 stream which emits 'finish' event indicating end of inStream and not write
+        ps.emit('done');
+    });
+
+    if (encryption) {
+        let decrypt = new DecryptStream(encryption);
         decrypt.on('error', function (error) {
-            debug('createWriteStream: decrypt stream error.', error);
-            ps.emit('error', new BoxError(BoxError.CRYPTO_ERROR, error.message));
+            debug(`createWriteStream: decrypt stream error ${destFile}`, error);
+            ps.emit('error', new BoxError(BoxError.CRYPTO_ERROR, `Decryption error at ${destFile}: ${error.message}`));
         });
+
         ps.pipe(decrypt).pipe(stream);
     } else {
         ps.pipe(stream);
@@ -270,9 +428,9 @@ function createWriteStream(destFile, key) {
     return ps;
 }
 
-function tarPack(dataLayout, key, callback) {
+function tarPack(dataLayout, encryption, callback) {
     assert(dataLayout instanceof DataLayout, 'dataLayout must be a DataLayout');
-    assert(key === null || typeof key === 'string');
+    assert.strictEqual(typeof encryption, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     var pack = tar.pack('/', {
@@ -293,7 +451,7 @@ function tarPack(dataLayout, key, callback) {
     });
 
     var gzip = zlib.createGzip({});
-    var ps = progressStream({ time: 10000 }); // emit 'pgoress' every 10 seconds
+    var ps = progressStream({ time: 10000 }); // emit 'progress' every 10 seconds
 
     pack.on('error', function (error) {
         debug('tarPack: tar stream error.', error);
@@ -305,18 +463,19 @@ function tarPack(dataLayout, key, callback) {
         ps.emit('error', new BoxError(BoxError.EXTERNAL_ERROR, error.message));
     });
 
-    if (key !== null) {
-        var encrypt = crypto.createCipher('aes-256-cbc', key);
-        encrypt.on('error', function (error) {
+    if (encryption) {
+        const encryptStream = new EncryptStream(encryption);
+        encryptStream.on('error', function (error) {
             debug('tarPack: encrypt stream error.', error);
             ps.emit('error', new BoxError(BoxError.EXTERNAL_ERROR, error.message));
         });
-        pack.pipe(gzip).pipe(encrypt).pipe(ps);
+
+        pack.pipe(gzip).pipe(encryptStream).pipe(ps);
     } else {
         pack.pipe(gzip).pipe(ps);
     }
 
-    callback(null, ps);
+    return callback(null, ps);
 }
 
 function sync(backupConfig, backupId, dataLayout, progressCallback, callback) {
@@ -332,7 +491,7 @@ function sync(backupConfig, backupId, dataLayout, progressCallback, callback) {
     syncer.sync(dataLayout, function processTask(task, iteratorCallback) {
         debug('sync: processing task: %j', task);
         // the empty task.path is special to signify the directory
-        const destPath = task.path && backupConfig.key ? encryptFilePath(task.path, backupConfig.key) : task.path;
+        const destPath = task.path && backupConfig.encryption ? encryptFilePath(task.path, backupConfig.encryption) : task.path;
         const backupFilePath = path.join(getBackupFilePath(backupConfig, backupId, backupConfig.format), destPath);
 
         if (task.operation === 'removedir') {
@@ -353,7 +512,7 @@ function sync(backupConfig, backupId, dataLayout, progressCallback, callback) {
             if (task.operation === 'add') {
                 progressCallback({ message: `Adding ${task.path}` + (retryCount > 1 ?  ` (Try ${retryCount})` : '') });
                 debug(`Adding ${task.path} position ${task.position} try ${retryCount}`);
-                var stream = createReadStream(dataLayout.toLocalPath('./' + task.path), backupConfig.key || null);
+                var stream = createReadStream(dataLayout.toLocalPath('./' + task.path), backupConfig.encryption);
                 stream.on('error', function (error) {
                     debug(`read stream error for ${task.path}: ${error.message}`);
                     retryCallback();
@@ -454,7 +613,7 @@ function upload(backupId, format, dataLayoutString, progressCallback, callback)
                 async.retry({ times: 5, interval: 20000 }, function (retryCallback) {
                     retryCallback = once(retryCallback); // protect again upload() erroring much later after tar stream error
 
-                    tarPack(dataLayout, backupConfig.key || null, function (error, tarStream) {
+                    tarPack(dataLayout, backupConfig.encryption, function (error, tarStream) {
                         if (error) return retryCallback(error);
 
                         tarStream.on('progress', function (progress) {
@@ -477,10 +636,10 @@ function upload(backupId, format, dataLayoutString, progressCallback, callback)
     });
 }
 
-function tarExtract(inStream, dataLayout, key, callback) {
+function tarExtract(inStream, dataLayout, encryption, callback) {
     assert.strictEqual(typeof inStream, 'object');
     assert(dataLayout instanceof DataLayout, 'dataLayout must be a DataLayout');
-    assert(key === null || typeof key === 'string');
+    assert.strictEqual(typeof encryption, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     var gunzip = zlib.createGunzip({});
@@ -492,7 +651,10 @@ function tarExtract(inStream, dataLayout, key, callback) {
         }
     });
 
-    const emitError = once((error) => ps.emit('error', error));
+    const emitError = once((error) => {
+        inStream.destroy();
+        ps.emit('error', error);
+    });
 
     inStream.on('error', function (error) {
         debug('tarExtract: input stream error.', error);
@@ -515,8 +677,8 @@ function tarExtract(inStream, dataLayout, key, callback) {
         ps.emit('done');
     });
 
-    if (key !== null) {
-        var decrypt = crypto.createDecipher('aes-256-cbc', key);
+    if (encryption) {
+        let decrypt = new DecryptStream(encryption);
         decrypt.on('error', function (error) {
             debug('tarExtract: decrypt stream error.', error);
             emitError(new BoxError(BoxError.EXTERNAL_ERROR, `Failed to decrypt: ${error.message}`));
@@ -567,9 +729,10 @@ function downloadDir(backupConfig, backupFilePath, dataLayout, progressCallback,
 
     function downloadFile(entry, done) {
         let relativePath = path.relative(backupFilePath, entry.fullPath);
-        if (backupConfig.key) {
-            relativePath = decryptFilePath(relativePath, backupConfig.key);
-            if (!relativePath) return done(new BoxError(BoxError.BAD_STATE, 'Unable to decrypt file'));
+        if (backupConfig.encryption) {
+            const { error, result } = decryptFilePath(relativePath, backupConfig.encryption);
+            if (error) return done(new BoxError(BoxError.CRYPTO_ERROR, 'Unable to decrypt file'));
+            relativePath = result;
         }
         const destFilePath = dataLayout.toLocalPath('./' + relativePath);
 
@@ -577,31 +740,35 @@ function downloadDir(backupConfig, backupFilePath, dataLayout, progressCallback,
             if (error) return done(new BoxError(BoxError.FS_ERROR, error.message));
 
             async.retry({ times: 5, interval: 20000 }, function (retryCallback) {
-                let destStream = createWriteStream(destFilePath, backupConfig.key || null);
-
-                destStream.on('progress', function (progress) {
-                    const transferred = Math.round(progress.transferred/1024/1024), speed = Math.round(progress.speed/1024/1024);
-                    if (!transferred && !speed) return progressCallback({ message: `Downloading ${entry.fullPath}` }); // 0M@0Mbps looks wrong
-                    progressCallback({ message: `Downloading ${entry.fullPath}: ${transferred}M@${speed}Mbps` });
-                });
-
-                // protect against multiple errors. must destroy the write stream so that a previous retry does not write
-                let closeAndRetry = once((error) => {
-                    if (error) progressCallback({ message: `Download ${entry.fullPath} to ${destFilePath} errored: ${error.message}` });
-                    else progressCallback({ message: `Download ${entry.fullPath} to ${destFilePath} finished` });
-                    destStream.destroy();
-                    retryCallback(error);
-                });
-
                 api(backupConfig.provider).download(backupConfig, entry.fullPath, function (error, sourceStream) {
-                    if (error) return closeAndRetry(error);
+                    if (error) {
+                        progressCallback({ message: `Download ${entry.fullPath} to ${destFilePath} errored: ${error.message}` });
+                        return retryCallback(error);
+                    }
+
+                    let destStream = createWriteStream(destFilePath, backupConfig.encryption);
+
+                    // protect against multiple errors. must destroy the write stream so that a previous retry does not write
+                    let closeAndRetry = once((error) => {
+                        if (error) progressCallback({ message: `Download ${entry.fullPath} to ${destFilePath} errored: ${error.message}` });
+                        else progressCallback({ message: `Download ${entry.fullPath} to ${destFilePath} finished` });
+                        sourceStream.destroy();
+                        destStream.destroy();
+                        retryCallback(error);
+                    });
+
+                    destStream.on('progress', function (progress) {
+                        const transferred = Math.round(progress.transferred/1024/1024), speed = Math.round(progress.speed/1024/1024);
+                        if (!transferred && !speed) return progressCallback({ message: `Downloading ${entry.fullPath}` }); // 0M@0Mbps looks wrong
+                        progressCallback({ message: `Downloading ${entry.fullPath}: ${transferred}M@${speed}Mbps` });
+                    });
+                    destStream.on('error', closeAndRetry);
 
                     sourceStream.on('error', closeAndRetry);
-                    destStream.on('error', closeAndRetry); // already emits BoxError
 
                     progressCallback({ message: `Downloading ${entry.fullPath} to ${destFilePath}` });
 
-                    sourceStream.pipe(destStream, { end: true }).on('finish', closeAndRetry);
+                    sourceStream.pipe(destStream, { end: true }).on('done', closeAndRetry);
                 });
             }, done);
         });
@@ -632,7 +799,7 @@ function download(backupConfig, backupId, format, dataLayout, progressCallback,
             api(backupConfig.provider).download(backupConfig, backupFilePath, function (error, sourceStream) {
                 if (error) return retryCallback(error);
 
-                tarExtract(sourceStream, dataLayout, backupConfig.key || null, function (error, ps) {
+                tarExtract(sourceStream, dataLayout, backupConfig.encryption, function (error, ps) {
                     if (error) return retryCallback(error);
 
                     ps.on('progress', function (progress) {
@@ -722,8 +889,8 @@ function runBackupUpload(uploadConfig, progressCallback, callback) {
         }
 
         callback();
-    }).on('message', function (progress) { // script sends either 'message' or 'result' property
-        if (!progress.result) return progressCallback({ message: `${progress.message} (${progressTag})` });
+    }).on('message', function (progress) { // this is { message } or { result }
+        if ('message' in progress) return progressCallback({ message: `${progress.message} (${progressTag})` });
         debug(`runBackupUpload: result - ${JSON.stringify(progress)}`);
         result = progress.result;
     });
@@ -811,7 +978,15 @@ function rotateBoxBackup(backupConfig, tag, appBackupIds, progressCallback, call
 
     debug(`Rotating box backup to id ${backupId}`);
 
-    backupdb.add(backupId, { version: constants.VERSION, type: backupdb.BACKUP_TYPE_BOX, dependsOn: appBackupIds, manifest: null, format: format }, function (error) {
+    const data = {
+        encryptionVersion: backupConfig.encryption ? 2 : null,
+        packageVersion: constants.VERSION,
+        type: backupdb.BACKUP_TYPE_BOX,
+        dependsOn: appBackupIds,
+        manifest: null,
+        format: format
+    };
+    backupdb.add(backupId, data, function (error) {
         if (error) return callback(error);
 
         var copy = api(backupConfig.provider).copy(backupConfig, getBackupFilePath(backupConfig, 'snapshot/box', format), getBackupFilePath(backupConfig, backupId, format));
@@ -849,9 +1024,10 @@ function backupBoxWithAppBackupIds(appBackupIds, tag, progressCallback, callback
 }
 
 function canBackupApp(app) {
-    // only backup apps that are installed or pending configure or called from apptask. Rest of them are in some
-    // state not good for consistent backup (i.e addons may not have been setup completely)
-    return (app.installationState === apps.ISTATE_INSTALLED && app.health === apps.HEALTH_HEALTHY) ||
+    // only backup apps that are installed or specific pending states
+    // we used to check the health here but that doesn't work for stopped apps. it's better to just fail
+    // and inform the user if the backup fails and the app addons have not been setup yet.
+    return  app.installationState === apps.ISTATE_INSTALLED ||
             app.installationState === apps.ISTATE_PENDING_CONFIGURE ||
             app.installationState === apps.ISTATE_PENDING_BACKUP ||  // called from apptask
             app.installationState === apps.ISTATE_PENDING_UPDATE; // called from apptask
@@ -892,7 +1068,16 @@ function rotateAppBackup(backupConfig, app, tag, options, progressCallback, call
 
     debug(`Rotating app backup of ${app.id} to id ${backupId}`);
 
-    backupdb.add(backupId, { version: manifest.version, type: backupdb.BACKUP_TYPE_APP, dependsOn: [ ], manifest: manifest, format: format }, function (error) {
+    const data = {
+        encryptionVersion: backupConfig.encryption ? 2 : null,
+        packageVersion: manifest.version,
+        type: backupdb.BACKUP_TYPE_APP,
+        dependsOn: [ ],
+        manifest,
+        format: format
+    };
+
+    backupdb.add(backupId, data, function (error) {
         if (error) return callback(error);
 
         var copy = api(backupConfig.provider).copy(backupConfig, getBackupFilePath(backupConfig, `snapshot/app_${app.id}`, format), getBackupFilePath(backupConfig, backupId, format));
@@ -1072,9 +1257,57 @@ function ensureBackup(auditSource, callback) {
     });
 }
 
-function cleanupBackup(backupConfig, backup, callback) {
+// backups must be descending in creationTime
+function applyBackupRetentionPolicy(backups, policy) {
+    assert(Array.isArray(backups));
+    assert.strictEqual(typeof policy, 'object');
+
+    const now = new Date();
+
+    for (const backup of backups) {
+        if (backup.keepReason) continue; // already kept for some other reason
+
+        if ((now - backup.creationTime) < (backup.preserveSecs * 1000)) {
+            backup.keepReason = 'preserveSecs';
+        } else if ((now - backup.creationTime < policy.keepWithinSecs * 1000) || policy.keepWithinSecs < 0) {
+            backup.keepReason = 'keepWithinSecs';
+        }
+    }
+
+    const KEEP_FORMATS = {
+        keepDaily: 'Y-M-D',
+        keepWeekly: 'Y-W',
+        keepMonthly: 'Y-M',
+        keepYearly: 'Y'
+    };
+
+    for (const format of [ 'keepDaily', 'keepWeekly', 'keepMonthly', 'keepYearly' ]) {
+        if (!(format in policy)) continue;
+
+        const n = policy[format]; // we want to keep "n" backups of format
+        if (!n) continue; // disabled rule
+
+        let lastPeriod = null, keptSoFar = 0;
+        for (const backup of backups) {
+            if (backup.keepReason) continue; // already kept for some other reason
+            const period = moment(backup.creationTime).format(KEEP_FORMATS[format]);
+            if (period === lastPeriod) continue; // already kept for this period
+
+            lastPeriod = period;
+            backup.keepReason = format;
+            if (++keptSoFar === n) break;
+        }
+    }
+
+    for (const backup of backups) {
+        if (backup.keepReason) debug(`applyBackupRetentionPolicy: ${backup.id} ${backup.type} ${backup.keepReason}`);
+    }
+}
+
+function cleanupBackup(backupConfig, backup, progressCallback, callback) {
     assert.strictEqual(typeof backupConfig, 'object');
     assert.strictEqual(typeof backup, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
     assert.strictEqual(typeof callback, 'function');
 
     var backupFilePath = getBackupFilePath(backupConfig, backup.id, backup.format);
@@ -1099,55 +1332,60 @@ function cleanupBackup(backupConfig, backup, callback) {
     }
 
     if (backup.format ==='tgz') {
+        progressCallback({ message: `${backup.id}: Removing ${backupFilePath}`});
         api(backupConfig.provider).remove(backupConfig, backupFilePath, done);
     } else {
         var events = api(backupConfig.provider).removeDir(backupConfig, backupFilePath);
-        events.on('progress', function (detail) { debug(`cleanupBackup: ${detail}`); });
+        events.on('progress', (message) => progressCallback({ message: `${backup.id}: ${message}` }));
         events.on('done', done);
     }
 }
 
-function cleanupAppBackups(backupConfig, referencedAppBackups, callback) {
+function cleanupAppBackups(backupConfig, referencedAppBackupIds, progressCallback, callback) {
     assert.strictEqual(typeof backupConfig, 'object');
-    assert(Array.isArray(referencedAppBackups));
+    assert(Array.isArray(referencedAppBackupIds));
+    assert.strictEqual(typeof progressCallback, 'function');
     assert.strictEqual(typeof callback, 'function');
 
-    const now = new Date();
-    let removedAppBackups = [];
+    let removedAppBackupIds = [];
 
     // we clean app backups of any state because the ones to keep are determined by the box cleanup code
     backupdb.getByTypePaged(backupdb.BACKUP_TYPE_APP, 1, 1000, function (error, appBackups) {
         if (error) return callback(error);
 
+        for (const appBackup of appBackups) { // set the reason so that policy filter can skip it
+            if (referencedAppBackupIds.includes(appBackup.id)) appBackup.keepReason = 'reference';
+        }
+
+        applyBackupRetentionPolicy(appBackups, backupConfig.retentionPolicy);
+
         async.eachSeries(appBackups, function iterator(appBackup, iteratorDone) {
-            if (referencedAppBackups.indexOf(appBackup.id) !== -1) return iteratorDone();
-            if ((now - appBackup.creationTime) < (appBackup.preserveSecs * 1000)) return iteratorDone();
-            if ((now - appBackup.creationTime) < (backupConfig.retentionSecs * 1000)) return iteratorDone();
+            if (appBackup.keepReason) return iteratorDone();
 
-            debug('cleanupAppBackups: removing %s', appBackup.id);
+            progressCallback({ message: `Removing app backup ${appBackup.id}`});
 
-            removedAppBackups.push(appBackup.id);
-            cleanupBackup(backupConfig, appBackup, iteratorDone);
+            removedAppBackupIds.push(appBackup.id);
+            cleanupBackup(backupConfig, appBackup, progressCallback, iteratorDone);
         }, function () {
             debug('cleanupAppBackups: done');
 
-            callback(null, removedAppBackups);
+            callback(null, removedAppBackupIds);
         });
     });
 }
 
-function cleanupBoxBackups(backupConfig, auditSource, callback) {
+function cleanupBoxBackups(backupConfig, progressCallback, auditSource, callback) {
     assert.strictEqual(typeof backupConfig, 'object');
+    assert.strictEqual(typeof progressCallback, 'function');
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    const now = new Date();
-    let referencedAppBackups = [], removedBoxBackups = [];
+    let referencedAppBackupIds = [], removedBoxBackupIds = [];
 
     backupdb.getByTypePaged(backupdb.BACKUP_TYPE_BOX, 1, 1000, function (error, boxBackups) {
         if (error) return callback(error);
 
-        if (boxBackups.length === 0) return callback(null, { removedBoxBackups, referencedAppBackups });
+        if (boxBackups.length === 0) return callback(null, { removedBoxBackupIds, referencedAppBackupIds });
 
         // search for the first valid backup
         var i;
@@ -1158,28 +1396,28 @@ function cleanupBoxBackups(backupConfig, auditSource, callback) {
         // keep the first valid backup
         if (i !== boxBackups.length) {
             debug('cleanupBoxBackups: preserving box backup %s (%j)', boxBackups[i].id, boxBackups[i].dependsOn);
-            referencedAppBackups = boxBackups[i].dependsOn;
+            referencedAppBackupIds = boxBackups[i].dependsOn;
             boxBackups.splice(i, 1);
         } else {
             debug('cleanupBoxBackups: no box backup to preserve');
         }
 
+        applyBackupRetentionPolicy(boxBackups, backupConfig.retentionPolicy);
+
         async.eachSeries(boxBackups, function iterator(boxBackup, iteratorNext) {
-            // TODO: errored backups should probably be cleaned up before retention time, but we will
-            // have to be careful not to remove any backup currently being created
-            if ((now - boxBackup.creationTime) < (backupConfig.retentionSecs * 1000)) {
-                referencedAppBackups = referencedAppBackups.concat(boxBackup.dependsOn);
+            if (boxBackup.keepReason) {
+                referencedAppBackupIds = referencedAppBackupIds.concat(boxBackup.dependsOn);
                 return iteratorNext();
             }
 
-            debug('cleanupBoxBackups: removing %s', boxBackup.id);
+            progressCallback({ message: `Removing box backup ${boxBackup.id}`});
 
-            removedBoxBackups.push(boxBackup.id);
-            cleanupBackup(backupConfig, boxBackup, iteratorNext);
+            removedBoxBackupIds.push(boxBackup.id);
+            cleanupBackup(backupConfig, boxBackup, progressCallback, iteratorNext);
         }, function () {
             debug('cleanupBoxBackups: done');
 
-            callback(null, { removedBoxBackups, referencedAppBackups });
+            callback(null, { removedBoxBackupIds, referencedAppBackupIds });
         });
     });
 }
@@ -1241,19 +1479,19 @@ function cleanup(auditSource, progressCallback, callback) {
     settings.getBackupConfig(function (error, backupConfig) {
         if (error) return callback(error);
 
-        if (backupConfig.retentionSecs < 0) {
+        if (backupConfig.retentionPolicy.keepWithinSecs < 0) {
             debug('cleanup: keeping all backups');
             return callback(null, {});
         }
 
         progressCallback({ percent: 10, message: 'Cleaning box backups' });
 
-        cleanupBoxBackups(backupConfig, auditSource, function (error, result) {
+        cleanupBoxBackups(backupConfig, progressCallback, auditSource, function (error, { removedBoxBackupIds, referencedAppBackupIds }) {
             if (error) return callback(error);
 
             progressCallback({ percent: 40, message: 'Cleaning app backups' });
 
-            cleanupAppBackups(backupConfig, result.referencedAppBackups, function (error, removedAppBackups) {
+            cleanupAppBackups(backupConfig, referencedAppBackupIds, progressCallback, function (error, removedAppBackupIds) {
                 if (error) return callback(error);
 
                 progressCallback({ percent: 90, message: 'Cleaning snapshots' });
@@ -1261,7 +1499,7 @@ function cleanup(auditSource, progressCallback, callback) {
                 cleanupSnapshots(backupConfig, function (error) {
                     if (error) return callback(error);
 
-                    callback(null, { removedBoxBackups: result.removedBoxBackups, removedAppBackups: removedAppBackups });
+                    callback(null, { removedBoxBackupIds, removedAppBackupIds });
                 });
             });
         });
@@ -1302,3 +1540,15 @@ function checkConfiguration(callback) {
         callback(null, message);
     });
 }
+
+function configureCollectd(backupConfig, callback) {
+    assert.strictEqual(typeof backupConfig, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (backupConfig.provider === 'filesystem') {
+        const collectdConf = ejs.render(COLLECTD_CONFIG_EJS, { backupDir: backupConfig.backupFolder });
+        collectd.addProfile('cloudron-backup', collectdConf, callback);
+    } else {
+        collectd.removeProfile('cloudron-backup', callback);
+    }
+}

src/boxerror.js

@@ -45,6 +45,7 @@ BoxError.DATABASE_ERROR = 'Database Error';
 BoxError.DNS_ERROR = 'DNS Error';
 BoxError.DOCKER_ERROR = 'Docker Error';
 BoxError.EXTERNAL_ERROR = 'External Error'; // use this for external API errors
+BoxError.FEATURE_DISABLED = 'Feature Disabled';
 BoxError.FS_ERROR = 'FileSystem Error';
 BoxError.INACTIVE = 'Inactive';
 BoxError.INTERNAL_ERROR = 'Internal Error';
@@ -77,6 +78,8 @@ BoxError.toHttpError = function (error) {
         return new HttpError(402, error);
     case BoxError.NOT_FOUND:
         return new HttpError(404, error);
+    case BoxError.FEATURE_DISABLED:
+        return new HttpError(405, error);
     case BoxError.ALREADY_EXISTS:
     case BoxError.BAD_STATE:
     case BoxError.CONFLICT:

src/cert/acme2.js

@@ -285,7 +285,7 @@ Acme2.prototype.waitForChallenge = function (challenge, callback) {
                 return retryCallback(new BoxError(BoxError.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
             }
 
-            debug('waitForChallenge: status is "%s %j', result.body.status, result.body);
+            debug('waitForChallenge: status is "%s" %j', result.body.status, result.body);
 
             if (result.body.status === 'pending') return retryCallback(new BoxError(BoxError.TRY_AGAIN));
             else if (result.body.status === 'valid') return retryCallback();
@@ -332,7 +332,7 @@ Acme2.prototype.createKeyAndCsr = function (hostname, callback) {
         // in some old releases, csr file was corrupt. so always regenerate it
         debug('createKeyAndCsr: reuse the key for renewal at %s', privateKeyFile);
     } else {
-        var key = safe.child_process.execSync('openssl genrsa 4096');
+        var key = safe.child_process.execSync('openssl ecparam -genkey -name secp384r1'); // openssl ecparam -list_curves
         if (!key) return callback(new BoxError(BoxError.OPENSSL_ERROR, safe.error));
         if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new BoxError(BoxError.FS_ERROR, safe.error));
 
@@ -452,7 +452,7 @@ Acme2.prototype.prepareDnsChallenge = function (hostname, domain, authorization,
     domains.upsertDnsRecords(challengeSubdomain, domain, 'TXT', [ `"${txtValue}"` ], function (error) {
         if (error) return callback(error);
 
-        domains.waitForDnsRecord(challengeSubdomain, domain, 'TXT', txtValue, { interval: 5000, times: 200 }, function (error) {
+        domains.waitForDnsRecord(challengeSubdomain, domain, 'TXT', txtValue, { times: 200 }, function (error) {
             if (error) return callback(error);
 
             callback(null, challenge);

src/clientdb.js

@@ -1,179 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    get: get,
-    getAll: getAll,
-    getAllWithTokenCount: getAllWithTokenCount,
-    getAllWithTokenCountByIdentifier: getAllWithTokenCountByIdentifier,
-    add: add,
-    del: del,
-    getByAppId: getByAppId,
-    getByAppIdAndType: getByAppIdAndType,
-
-    upsert: upsert,
-
-    delByAppId: delByAppId,
-    delByAppIdAndType: delByAppIdAndType,
-
-    _clear: clear
-};
-
-var assert = require('assert'),
-    BoxError = require('./boxerror.js'),
-    database = require('./database.js');
-
-var CLIENTS_FIELDS = [ 'id', 'appId', 'type', 'clientSecret', 'redirectURI', 'scope' ].join(',');
-var CLIENTS_FIELDS_PREFIXED = [ 'clients.id', 'clients.appId', 'clients.type', 'clients.clientSecret', 'clients.redirectURI', 'clients.scope' ].join(',');
-
-function get(id, callback) {
-    assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('SELECT ' + CLIENTS_FIELDS + ' FROM clients WHERE id = ?', [ id ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.length === 0) return callback(new BoxError(BoxError.NOT_FOUND, `Client not found: ${id}`));
-
-        callback(null, result[0]);
-    });
-}
-
-function getAll(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('SELECT ' + CLIENTS_FIELDS + ' FROM clients ORDER BY appId', function (error, results) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null, results);
-    });
-}
-
-function getAllWithTokenCount(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('SELECT ' + CLIENTS_FIELDS_PREFIXED + ',COUNT(tokens.clientId) AS tokenCount FROM clients LEFT OUTER JOIN tokens ON clients.id=tokens.clientId GROUP BY clients.id', [], function (error, results) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null, results);
-    });
-}
-
-function getAllWithTokenCountByIdentifier(identifier, callback) {
-    assert.strictEqual(typeof identifier, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('SELECT ' + CLIENTS_FIELDS_PREFIXED + ',COUNT(tokens.clientId) AS tokenCount FROM clients LEFT OUTER JOIN tokens ON clients.id=tokens.clientId WHERE tokens.identifier=? GROUP BY clients.id', [ identifier ], function (error, results) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null, results);
-    });
-}
-
-function getByAppId(appId, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('SELECT ' + CLIENTS_FIELDS + ' FROM clients WHERE appId = ? LIMIT 1', [ appId ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.length === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'Client not found'));
-
-        callback(null, result[0]);
-    });
-}
-
-function getByAppIdAndType(appId, type, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('SELECT ' + CLIENTS_FIELDS + ' FROM clients WHERE appId = ? AND type = ? LIMIT 1', [ appId, type ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.length === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'Client not found'));
-
-        callback(null, result[0]);
-    });
-}
-
-function add(id, appId, type, clientSecret, redirectURI, scope, callback) {
-    assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert.strictEqual(typeof clientSecret, 'string');
-    assert.strictEqual(typeof redirectURI, 'string');
-    assert.strictEqual(typeof scope, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var data = [ id, appId, type, clientSecret, redirectURI, scope ];
-
-    database.query('INSERT INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (?, ?, ?, ?, ?, ?)', data, function (error, result) {
-        if (error && error.code === 'ER_DUP_ENTRY') return callback(new BoxError(BoxError.ALREADY_EXISTS));
-        if (error || result.affectedRows === 0) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null);
-    });
-}
-
-function upsert(id, appId, type, clientSecret, redirectURI, scope, callback) {
-    assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert.strictEqual(typeof clientSecret, 'string');
-    assert.strictEqual(typeof redirectURI, 'string');
-    assert.strictEqual(typeof scope, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var data = [ id, appId, type, clientSecret, redirectURI, scope ];
-
-    database.query('REPLACE INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (?, ?, ?, ?, ?, ?)', data, function (error, result) {
-        if (error && error.code === 'ER_DUP_ENTRY') return callback(new BoxError(BoxError.ALREADY_EXISTS));
-        if (error || result.affectedRows === 0) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null);
-    });
-}
-
-function del(id, callback) {
-    assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('DELETE FROM clients WHERE id = ?', [ id ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.affectedRows !== 1) return callback(new BoxError(BoxError.NOT_FOUND, `Client not found: ${id}`));
-
-        callback(null);
-    });
-}
-
-function delByAppId(appId, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('DELETE FROM clients WHERE appId=?', [ appId ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.affectedRows !== 1) return callback(new BoxError(BoxError.NOT_FOUND, 'Client not found'));
-
-        callback(null);
-    });
-}
-
-function delByAppIdAndType(appId, type, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('DELETE FROM clients WHERE appId=? AND type=?', [ appId, type ], function (error, result) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.affectedRows !== 1) return callback(new BoxError(BoxError.NOT_FOUND, 'Client not found'));
-
-        callback(null);
-    });
-}
-
-function clear(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('DELETE FROM clients', function (error) {
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null);
-    });
-}

src/clients.js

@@ -1,329 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    add: add,
-    get: get,
-    del: del,
-    getAll: getAll,
-    getByAppIdAndType: getByAppIdAndType,
-    getTokensByUserId: getTokensByUserId,
-    delTokensByUserId: delTokensByUserId,
-    delByAppIdAndType: delByAppIdAndType,
-    addTokenByUserId: addTokenByUserId,
-    delToken: delToken,
-
-    issueDeveloperToken: issueDeveloperToken,
-
-    addDefaultClients: addDefaultClients,
-
-    removeTokenPrivateFields: removeTokenPrivateFields,
-
-    // client ids. we categorize them so we can have different restrictions based on the client
-    ID_WEBADMIN: 'cid-webadmin',    // dashboard oauth
-    ID_SDK: 'cid-sdk',              // created by user via dashboard
-    ID_CLI: 'cid-cli',              // created via cli tool
-
-    // client type enums
-    TYPE_EXTERNAL: 'external',
-    TYPE_BUILT_IN: 'built-in',
-    TYPE_OAUTH: 'addon-oauth',
-    TYPE_PROXY: 'addon-proxy'
-};
-
-var apps = require('./apps.js'),
-    assert = require('assert'),
-    async = require('async'),
-    BoxError = require('./boxerror.js'),
-    clientdb = require('./clientdb.js'),
-    constants = require('./constants.js'),
-    debug = require('debug')('box:clients'),
-    eventlog = require('./eventlog.js'),
-    hat = require('./hat.js'),
-    accesscontrol = require('./accesscontrol.js'),
-    tokendb = require('./tokendb.js'),
-    users = require('./users.js'),
-    uuid = require('uuid'),
-    _ = require('underscore');
-
-function validateClientName(name) {
-    assert.strictEqual(typeof name, 'string');
-
-    if (name.length < 1) return new BoxError(BoxError.BAD_FIELD, 'name must be atleast 1 character', { field: 'name' });
-    if (name.length > 128) return new BoxError(BoxError.BAD_FIELD, 'name too long', { field: 'name' });
-
-    if (/[^a-zA-Z0-9-]/.test(name)) return new BoxError(BoxError.BAD_FIELD, 'name can only contain alphanumerals and dash', { field: 'name' });
-
-    return null;
-}
-
-function validateTokenName(name) {
-    assert.strictEqual(typeof name, 'string');
-
-    if (name.length > 64) return new BoxError(BoxError.BAD_FIELD, 'name too long', { field: 'name' });
-
-    return null;
-}
-
-function add(appId, type, redirectURI, scope, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert.strictEqual(typeof redirectURI, 'string');
-    assert.strictEqual(typeof scope, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var error = accesscontrol.validateScopeString(scope);
-    if (error) return callback(error);
-
-    error = validateClientName(appId);
-    if (error) return callback(error);
-
-    var id = 'cid-' + uuid.v4();
-    var clientSecret = hat(8 * 128);
-
-    clientdb.add(id, appId, type, clientSecret, redirectURI, scope, function (error) {
-        if (error) return callback(error);
-
-        var client = {
-            id: id,
-            appId: appId,
-            type: type,
-            clientSecret: clientSecret,
-            redirectURI: redirectURI,
-            scope: scope
-        };
-
-        callback(null, client);
-    });
-}
-
-function get(id, callback) {
-    assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    clientdb.get(id, function (error, result) {
-        if (error) return callback(error);
-
-        callback(null, result);
-    });
-}
-
-function del(id, callback) {
-    assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    clientdb.del(id, function (error, result) {
-        if (error) return callback(error);
-
-        callback(null, result);
-    });
-}
-
-function getAll(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    clientdb.getAll(function (error, results) {
-        if (error && error.reason === BoxError.NOT_FOUND) return callback(null, []);
-        if (error) return callback(error);
-
-        var tmp = [];
-        async.each(results, function (record, callback) {
-            if (record.type === exports.TYPE_EXTERNAL || record.type === exports.TYPE_BUILT_IN) {
-                // the appId in this case holds the name
-                record.name = record.appId;
-
-                tmp.push(record);
-
-                return callback(null);
-            }
-
-            apps.get(record.appId, function (error, result) {
-                if (error) {
-                    console.error('Failed to get app details for oauth client', record.appId, error);
-                    return callback(null);  // ignore error so we continue listing clients
-                }
-
-                if (record.type === exports.TYPE_PROXY) record.name = result.manifest.title + ' Website Proxy';
-                if (record.type === exports.TYPE_OAUTH) record.name = result.manifest.title + ' OAuth';
-
-                record.domain = result.fqdn;
-
-                tmp.push(record);
-
-                callback(null);
-            });
-        }, function (error) {
-            if (error) return callback(error);
-            callback(null, tmp);
-        });
-    });
-}
-
-function getByAppIdAndType(appId, type, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    clientdb.getByAppIdAndType(appId, type, function (error, result) {
-        if (error) return callback(error);
-
-        callback(null, result);
-    });
-}
-
-function getTokensByUserId(clientId, userId, callback) {
-    assert.strictEqual(typeof clientId, 'string');
-    assert.strictEqual(typeof userId, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    tokendb.getByIdentifierAndClientId(userId, clientId, function (error, result) {
-        if (error && error.reason === BoxError.NOT_FOUND) {
-            // this can mean either that there are no tokens or the clientId is actually unknown
-            get(clientId, function (error/*, result*/) {
-                if (error) return callback(error);
-                callback(null, []);
-            });
-            return;
-        }
-        if (error) return callback(error);
-        callback(null, result || []);
-    });
-}
-
-function delTokensByUserId(clientId, userId, callback) {
-    assert.strictEqual(typeof clientId, 'string');
-    assert.strictEqual(typeof userId, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    tokendb.delByIdentifierAndClientId(userId, clientId, function (error) {
-        if (error && error.reason === BoxError.NOT_FOUND) {
-            // this can mean either that there are no tokens or the clientId is actually unknown
-            get(clientId, function (error/*, result*/) {
-                if (error) return callback(error);
-                callback(null);
-            });
-            return;
-        }
-        if (error) return callback(error);
-        callback(null);
-    });
-}
-
-function delByAppIdAndType(appId, type, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof type, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    getByAppIdAndType(appId, type, function (error, result) {
-        if (error) return callback(error);
-
-        tokendb.delByClientId(result.id, function (error) {
-            if (error && error.reason !== BoxError.NOT_FOUND) return callback(error);
-
-            clientdb.delByAppIdAndType(appId, type, function (error) {
-                if (error) return callback(error);
-
-                callback(null);
-            });
-        });
-    });
-}
-
-function addTokenByUserId(clientId, userId, expiresAt, options, callback) {
-    assert.strictEqual(typeof clientId, 'string');
-    assert.strictEqual(typeof userId, 'string');
-    assert.strictEqual(typeof expiresAt, 'number');
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    const name = options.name || '';
-    let error = validateTokenName(name);
-    if (error) return callback(error);
-
-    get(clientId, function (error, result) {
-        if (error) return callback(error);
-
-        users.get(userId, function (error, user) {
-            if (error) return callback(error);
-
-            accesscontrol.scopesForUser(user, function (error, userScopes) {
-                if (error) return callback(error);
-
-                const scope = accesscontrol.canonicalScopeString(result.scope);
-                const authorizedScopes = accesscontrol.intersectScopes(userScopes, scope.split(','));
-
-                const token = {
-                    id: 'tid-' + uuid.v4(),
-                    accessToken: hat(8 * 32),
-                    identifier: userId,
-                    clientId: result.id,
-                    expires: expiresAt,
-                    scope: authorizedScopes.join(','),
-                    name: name
-                };
-
-                tokendb.add(token, function (error) {
-                    if (error) return callback(error);
-
-                    callback(null, {
-                        accessToken: token.accessToken,
-                        tokenScopes: authorizedScopes,
-                        identifier: userId,
-                        clientId: result.id,
-                        expires: expiresAt
-                    });
-                });
-            });
-        });
-    });
-}
-
-function issueDeveloperToken(userObject, auditSource, callback) {
-    assert.strictEqual(typeof userObject, 'object');
-    assert.strictEqual(typeof auditSource, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    const expiresAt = Date.now() + (30 * 24 * 60 * 60 * 1000); // cli tokens are valid for a month
-
-    addTokenByUserId(exports.ID_CLI, userObject.id, expiresAt, {}, function (error, result) {
-        if (error) return callback(error);
-
-        eventlog.add(eventlog.ACTION_USER_LOGIN, auditSource, { userId: userObject.id, user: users.removePrivateFields(userObject) });
-
-        callback(null, result);
-    });
-}
-
-function delToken(clientId, tokenId, callback) {
-    assert.strictEqual(typeof clientId, 'string');
-    assert.strictEqual(typeof tokenId, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    get(clientId, function (error) {
-        if (error) return callback(error);
-
-        tokendb.del(tokenId, function (error) {
-            if (error) return callback(error);
-
-            callback(null);
-        });
-    });
-}
-
-function addDefaultClients(origin, callback) {
-    assert.strictEqual(typeof origin, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('Adding default clients');
-
-    // The domain might have changed, therefor we have to update the record
-    // id, appId, type, clientSecret, redirectURI, scope
-    async.series([
-        clientdb.upsert.bind(null, exports.ID_WEBADMIN, 'Settings', 'built-in', 'secret-webadmin', origin, '*'),
-        clientdb.upsert.bind(null, exports.ID_SDK, 'SDK', 'built-in', 'secret-sdk', origin, '*'),
-        clientdb.upsert.bind(null, exports.ID_CLI, 'Cloudron Tool', 'built-in', 'secret-cli', origin, '*')
-    ], callback);
-}
-
-function removeTokenPrivateFields(token) {
-    return _.pick(token, 'id', 'identifier', 'clientId', 'scope', 'expires', 'name');
-}

src/cloudron.js

@@ -21,23 +21,22 @@ exports = module.exports = {
     runSystemChecks: runSystemChecks,
 };
 
-var apps = require('./apps.js'),
+var addons = require('./addons.js'),
+    apps = require('./apps.js'),
+    appstore = require('./appstore.js'),
     assert = require('assert'),
     async = require('async'),
     auditSource = require('./auditsource.js'),
     backups = require('./backups.js'),
     BoxError = require('./boxerror.js'),
-    clients = require('./clients.js'),
     constants = require('./constants.js'),
     cron = require('./cron.js'),
     debug = require('debug')('box:cloudron'),
     domains = require('./domains.js'),
     eventlog = require('./eventlog.js'),
-    custom = require('./custom.js'),
     fs = require('fs'),
     mail = require('./mail.js'),
     notifications = require('./notifications.js'),
-    os = require('os'),
     path = require('path'),
     paths = require('./paths.js'),
     platform = require('./platform.js'),
@@ -107,6 +106,12 @@ function runStartupTasks() {
     // configure nginx to be reachable by IP
     reverseProxy.writeDefaultConfig(NOOP_CALLBACK);
 
+    // this configures collectd to collect backup storage metrics if filesystem is used. This is also triggerd when the settings change with the rest api
+    settings.getBackupConfig(function (error, backupConfig) {
+        if (error) return console.error('Failed to read backup config.', error);
+        backups.configureCollectd(backupConfig, NOOP_CALLBACK);
+    });
+
     // always generate webadmin config since we have no versioning mechanism for the ejs
     if (settings.adminDomain()) reverseProxy.writeAdminConfig(settings.adminDomain(), NOOP_CALLBACK);
 
@@ -134,16 +139,20 @@ function getConfig(callback) {
             mailFqdn: settings.mailFqdn(),
             version: constants.VERSION,
             isDemo: settings.isDemo(),
-            memory: os.totalmem(),
             provider: settings.provider(),
             cloudronName: allSettings[settings.CLOUDRON_NAME_KEY],
-            uiSpec: custom.uiSpec()
+            footer: allSettings[settings.FOOTER_KEY] || constants.FOOTER,
+            features: appstore.getFeatures()
         });
     });
 }
 
 function reboot(callback) {
-    shell.sudo('reboot', [ REBOOT_CMD ], {}, callback);
+    notifications.alert(notifications.ALERT_REBOOT, 'Reboot Required', '', function (error) {
+        if (error) console.error('Failed to clear reboot notification.', error);
+
+        shell.sudo('reboot', [ REBOOT_CMD ], {}, callback);
+    });
 }
 
 function isRebootRequired(callback) {
@@ -154,14 +163,14 @@ function isRebootRequired(callback) {
 }
 
 // called from cron.js
-function runSystemChecks() {
+function runSystemChecks(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
     async.parallel([
         checkBackupConfiguration,
         checkMailStatus,
         checkRebootRequired
-    ], function (error) {
-        debug('runSystemChecks: done', error);
-    });
+    ], callback);
 }
 
 function checkBackupConfiguration(callback) {
@@ -196,7 +205,7 @@ function checkRebootRequired(callback) {
     isRebootRequired(function (error, rebootRequired) {
         if (error) return callback(error);
 
-        notifications.alert(notifications.ALERT_REBOOT, 'Reboot Required', rebootRequired ? 'To finish security updates, a [reboot](/#/system) is necessary.' : '', callback);
+        notifications.alert(notifications.ALERT_REBOOT, 'Reboot Required', rebootRequired ? 'To finish ubuntu security updates, a reboot is necessary.' : '', callback);
     });
 }
 
@@ -253,6 +262,8 @@ function prepareDashboardDomain(domain, auditSource, callback) {
 
     debug(`prepareDashboardDomain: ${domain}`);
 
+    if (settings.isDemo()) return callback(new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode'));
+
     domains.get(domain, function (error, domainObject) {
         if (error) return callback(error);
 
@@ -291,10 +302,7 @@ function setDashboardDomain(domain, auditSource, callback) {
 
             const fqdn = domains.fqdn(constants.ADMIN_LOCATION, domainObject);
 
-            async.series([
-                (done) => settings.setAdmin(domain, fqdn, done),
-                (done) => clients.addDefaultClients(settings.adminOrigin(), done)
-            ], function (error) {
+            settings.setAdmin(domain, fqdn, function (error) {
                 if (error) return callback(error);
 
                 eventlog.add(eventlog.ACTION_DASHBOARD_DOMAIN_UPDATE, auditSource, { domain: domain, fqdn: fqdn });
@@ -313,10 +321,13 @@ function setDashboardAndMailDomain(domain, auditSource, callback) {
 
     debug(`setDashboardAndMailDomain: ${domain}`);
 
+    if (settings.isDemo()) return callback(new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode'));
+
     setDashboardDomain(domain, auditSource, function (error) {
         if (error) return callback(error);
 
         mail.onMailFqdnChanged(NOOP_CALLBACK); // this will update dns and re-configure mail server
+        addons.restartService('turn', NOOP_CALLBACK); // to update the realm variable
 
         callback(null);
     });

src/collectd.js

@@ -0,0 +1,55 @@
+'use strict';
+
+exports = module.exports = {
+    addProfile,
+    removeProfile
+};
+
+const assert = require('assert'),
+    BoxError = require('./boxerror.js'),
+    debug = require('debug')('collectd'),
+    fs = require('fs'),
+    path = require('path'),
+    paths = require('./paths.js'),
+    safe = require('safetydance'),
+    shell = require('./shell.js');
+
+const CONFIGURE_COLLECTD_CMD = path.join(__dirname, 'scripts/configurecollectd.sh');
+
+function addProfile(name, profile, callback) {
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof profile, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    const configFilePath = path.join(paths.COLLECTD_APPCONFIG_DIR, `${name}.conf`);
+
+    // skip restarting collectd if the profile already exists with the same contents
+    const currentProfile = safe.fs.readFileSync(configFilePath, 'utf8') || '';
+    if (currentProfile === profile) return callback(null);
+
+    fs.writeFile(configFilePath, profile, function (error) {
+        if (error) return callback(new BoxError(BoxError.FS_ERROR, `Error writing collectd config: ${error.message}`));
+
+        shell.sudo('addCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'add', name ], {}, function (error) {
+            if (error) return callback(new BoxError(BoxError.COLLECTD_ERROR, 'Could not add collectd config'));
+
+            callback(null);
+        });
+    });
+
+}
+
+function removeProfile(name, callback) {
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    fs.unlink(path.join(paths.COLLECTD_APPCONFIG_DIR, `${name}.conf`), function (error) {
+        if (error && error.code !== 'ENOENT') debug('Error removing collectd profile', error);
+
+        shell.sudo('removeCollectdProfile', [ CONFIGURE_COLLECTD_CMD, 'remove', name ], {}, function (error) {
+            if (error) return callback(new BoxError(BoxError.COLLECTD_ERROR, 'Could not remove collectd config'));
+
+            callback(null);
+        });
+    });
+}

src/collectd/cloudron-backup.ejs

@@ -0,0 +1,9 @@
+<Plugin python>
+  <Module du>
+    <Path>
+        Instance "cloudron-backup"
+        Dir "<%= backupDir %>"
+    </Path>
+  </Module>
+</Plugin>
+

src/constants.js

@@ -32,21 +32,24 @@ exports = module.exports = {
 
     NGINX_DEFAULT_CONFIG_FILE_NAME: 'default.conf',
 
-    GHOST_USER_FILE: '/tmp/cloudron_ghost.json',
-
-    DEFAULT_TOKEN_EXPIRATION: 7 * 24 * 60 * 60 * 1000, // 1 week
+    DEFAULT_TOKEN_EXPIRATION: 365 * 24 * 60 * 60 * 1000, // 1 year
 
     DEFAULT_MEMORY_LIMIT: (256 * 1024 * 1024), // see also client.js
 
     DEMO_USERNAME: 'cloudron',
+    DEMO_BLACKLISTED_APPS: [ 'com.github.cloudtorrent' ],
 
     AUTOUPDATE_PATTERN_NEVER: 'never',
 
-    SECRET_PLACEHOLDER: String.fromCharCode(0x25CF).repeat(8),
+    SECRET_PLACEHOLDER: String.fromCharCode(0x25CF).repeat(8), // also used in dashboard client.js
 
     CLOUDRON: CLOUDRON,
     TEST: TEST,
 
-    VERSION: process.env.BOX_ENV === 'cloudron' ? fs.readFileSync(path.join(__dirname, '../VERSION'), 'utf8').trim() : '4.2.0-test'
+    SUPPORT_EMAIL: 'support@cloudron.io',
+
+    FOOTER: '&copy; 2020  &nbsp;  [Cloudron](https://cloudron.io) &nbsp; &nbsp; &nbsp;  [Forum <i class="fa fa-comments"></i>](https://forum.cloudron.io)',
+
+    VERSION: process.env.BOX_ENV === 'cloudron' ? fs.readFileSync(path.join(__dirname, '../VERSION'), 'utf8').trim() : '5.1.1-test'
 };
 

src/cron.js

@@ -12,6 +12,7 @@ var appHealthMonitor = require('./apphealthmonitor.js'),
     apps = require('./apps.js'),
     appstore = require('./appstore.js'),
     assert = require('assert'),
+    async = require('async'),
     auditSource = require('./auditsource.js'),
     backups = require('./backups.js'),
     cloudron = require('./cloudron.js'),
@@ -59,150 +60,141 @@ var NOOP_CALLBACK = function (error) { if (error) debug(error); };
 function startJobs(callback) {
     assert.strictEqual(typeof callback, 'function');
 
-    var randomHourMinute = Math.floor(60*Math.random());
+    const randomMinute = Math.floor(60*Math.random());
     gJobs.alive = new CronJob({
-        cronTime: '00 ' + randomHourMinute + ' * * * *', // every hour on a random minute
+        cronTime: '00 ' + randomMinute + ' * * * *', // every hour on a random minute
         onTick: appstore.sendAliveStatus,
         start: true
     });
 
+    gJobs.systemChecks = new CronJob({
+        cronTime: '00 30 * * * *', // every 30 minutes. if you change this interval, change the notification messages with correct duration
+        onTick: () => cloudron.runSystemChecks(NOOP_CALLBACK),
+        start: true
+    });
+
+    gJobs.diskSpaceChecker = new CronJob({
+        cronTime: '00 30 * * * *', // every 30 minutes. if you change this interval, change the notification messages with correct duration
+        onTick: () => system.checkDiskSpace(NOOP_CALLBACK),
+        start: true
+    });
+
+    gJobs.boxUpdateCheckerJob = new CronJob({
+        cronTime: '00 ' + randomMinute + ' 23 * * *', // once an day
+        onTick: () => updateChecker.checkBoxUpdates({ automatic: true }, NOOP_CALLBACK),
+        start: true
+    });
+
+    gJobs.appUpdateChecker = new CronJob({
+        cronTime: '00 ' + randomMinute + ' 22 * * *', // once an day
+        onTick: () => updateChecker.checkAppUpdates({ automatic: true }, NOOP_CALLBACK),
+        start: true
+    });
+
+    gJobs.cleanupTokens = new CronJob({
+        cronTime: '00 */30 * * * *', // every 30 minutes
+        onTick: janitor.cleanupTokens,
+        start: true
+    });
+
+    gJobs.cleanupBackups = new CronJob({
+        cronTime: '00 45 1,3,5,23 * * *', // every 6 hours. try not to overlap with ensureBackup job
+        onTick: backups.startCleanupTask.bind(null, auditSource.CRON, NOOP_CALLBACK),
+        start: true
+    });
+
+    gJobs.cleanupEventlog = new CronJob({
+        cronTime: '00 */30 * * * *', // every 30 minutes
+        onTick: eventlog.cleanup,
+        start: true
+    });
+
+    gJobs.dockerVolumeCleaner = new CronJob({
+        cronTime: '00 00 */12 * * *', // every 12 hours
+        onTick: janitor.cleanupDockerVolumes,
+        start: true
+    });
+
+    gJobs.schedulerSync = new CronJob({
+        cronTime: constants.TEST ? '*/10 * * * * *' : '00 */1 * * * *', // every minute
+        onTick: scheduler.sync,
+        start: true
+    });
+
+    gJobs.certificateRenew = new CronJob({
+        cronTime: '00 00 */12 * * *', // every 12 hours
+        onTick: cloudron.renewCerts.bind(null, {}, auditSource.CRON, NOOP_CALLBACK),
+        start: true
+    });
+
+    gJobs.appHealthMonitor = new CronJob({
+        cronTime: '*/10 * * * * *', // every 10 seconds
+        onTick: appHealthMonitor.run.bind(null, 10, NOOP_CALLBACK),
+        start: true
+    });
+
     settings.getAll(function (error, allSettings) {
         if (error) return callback(error);
 
-        recreateJobs(allSettings[settings.TIME_ZONE_KEY]);
-        appAutoupdatePatternChanged(allSettings[settings.APP_AUTOUPDATE_PATTERN_KEY]);
-        boxAutoupdatePatternChanged(allSettings[settings.BOX_AUTOUPDATE_PATTERN_KEY]);
+        const tz = allSettings[settings.TIME_ZONE_KEY];
+        backupConfigChanged(allSettings[settings.BACKUP_CONFIG_KEY], tz);
+        appAutoupdatePatternChanged(allSettings[settings.APP_AUTOUPDATE_PATTERN_KEY], tz);
+        boxAutoupdatePatternChanged(allSettings[settings.BOX_AUTOUPDATE_PATTERN_KEY], tz);
         dynamicDnsChanged(allSettings[settings.DYNAMIC_DNS_KEY]);
 
         callback();
     });
 }
 
+// eslint-disable-next-line no-unused-vars
 function handleSettingsChanged(key, value) {
     assert.strictEqual(typeof key, 'string');
-
     // value is a variant
+
     switch (key) {
-    case settings.TIME_ZONE_KEY: recreateJobs(value); break;
-    case settings.APP_AUTOUPDATE_PATTERN_KEY: appAutoupdatePatternChanged(value); break;
-    case settings.BOX_AUTOUPDATE_PATTERN_KEY: boxAutoupdatePatternChanged(value); break;
-    case settings.DYNAMIC_DNS_KEY: dynamicDnsChanged(value); break;
-    default: break;
+    case settings.TIME_ZONE_KEY:
+    case settings.BACKUP_CONFIG_KEY:
+    case settings.APP_AUTOUPDATE_PATTERN_KEY:
+    case settings.BOX_AUTOUPDATE_PATTERN_KEY:
+    case settings.DYNAMIC_DNS_KEY:
+        debug('handleSettingsChanged: recreating all jobs');
+        async.series([
+            stopJobs,
+            startJobs
+        ], NOOP_CALLBACK);
+        break;
+    default:
+        break;
     }
 }
 
-function recreateJobs(tz) {
+function backupConfigChanged(value, tz) {
+    assert.strictEqual(typeof value, 'object');
     assert.strictEqual(typeof tz, 'string');
 
-    debug('Creating jobs with timezone %s', tz);
+    debug(`backupConfigChanged: interval ${value.intervalSecs} (${tz})`);
 
     if (gJobs.backup) gJobs.backup.stop();
+    let pattern;
+    if (value.intervalSecs <= 6 * 60 * 60) {
+        pattern = '00 00 1,7,13,19 * * *'; // no option but to backup in the middle of the day
+    } else {
+        pattern = '00 00 1,3,5,23 * * *'; // avoid middle of the day backups
+    }
+
     gJobs.backup = new CronJob({
-        cronTime: '00 00 */6 * * *', // check every 6 hours
+        cronTime: pattern,
         onTick: backups.ensureBackup.bind(null, auditSource.CRON, NOOP_CALLBACK),
         start: true,
         timeZone: tz
     });
-
-    if (gJobs.systemChecks) gJobs.systemChecks.stop();
-    gJobs.systemChecks = new CronJob({
-        cronTime: '00 30 * * * *', // every 30 minutes. if you change this interval, change the notification messages with correct duration
-        onTick: cloudron.runSystemChecks,
-        start: true,
-        runOnInit: true, // run system check immediately
-        timeZone: tz
-    });
-
-    if (gJobs.diskSpaceChecker) gJobs.diskSpaceChecker.stop();
-    gJobs.diskSpaceChecker = new CronJob({
-        cronTime: '00 30 * * * *', // every 30 minutes. if you change this interval, change the notification messages with correct duration
-        onTick: () => system.checkDiskSpace(NOOP_CALLBACK),
-        start: true,
-        runOnInit: true, // run system check immediately
-        timeZone: tz
-    });
-
-    // randomized pattern per cloudron every hour
-    var randomMinute = Math.floor(60*Math.random());
-
-    if (gJobs.boxUpdateCheckerJob) gJobs.boxUpdateCheckerJob.stop();
-    gJobs.boxUpdateCheckerJob = new CronJob({
-        cronTime: '00 ' + randomMinute + ' * * * *', // once an hour
-        onTick: () => updateChecker.checkBoxUpdates(NOOP_CALLBACK),
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.appUpdateChecker) gJobs.appUpdateChecker.stop();
-    gJobs.appUpdateChecker = new CronJob({
-        cronTime: '00 ' + randomMinute + ' * * * *', // once an hour
-        onTick: () => updateChecker.checkAppUpdates(NOOP_CALLBACK),
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.cleanupTokens) gJobs.cleanupTokens.stop();
-    gJobs.cleanupTokens = new CronJob({
-        cronTime: '00 */30 * * * *', // every 30 minutes
-        onTick: janitor.cleanupTokens,
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.cleanupBackups) gJobs.cleanupBackups.stop();
-    gJobs.cleanupBackups = new CronJob({
-        cronTime: '00 45 */6 * * *', // every 6 hours. try not to overlap with ensureBackup job
-        onTick: backups.startCleanupTask.bind(null, auditSource.CRON, NOOP_CALLBACK),
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.cleanupEventlog) gJobs.cleanupEventlog.stop();
-    gJobs.cleanupEventlog = new CronJob({
-        cronTime: '00 */30 * * * *', // every 30 minutes
-        onTick: eventlog.cleanup,
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.dockerVolumeCleaner) gJobs.dockerVolumeCleaner.stop();
-    gJobs.dockerVolumeCleaner = new CronJob({
-        cronTime: '00 00 */12 * * *', // every 12 hours
-        onTick: janitor.cleanupDockerVolumes,
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.schedulerSync) gJobs.schedulerSync.stop();
-    gJobs.schedulerSync = new CronJob({
-        cronTime: constants.TEST ? '*/10 * * * * *' : '00 */1 * * * *', // every minute
-        onTick: scheduler.sync,
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.certificateRenew) gJobs.certificateRenew.stop();
-    gJobs.certificateRenew = new CronJob({
-        cronTime: '00 00 */12 * * *', // every 12 hours
-        onTick: cloudron.renewCerts.bind(null, {}, auditSource.CRON, NOOP_CALLBACK),
-        start: true,
-        timeZone: tz
-    });
-
-    if (gJobs.appHealthMonitor) gJobs.appHealthMonitor.stop();
-    gJobs.appHealthMonitor = new CronJob({
-        cronTime: '*/10 * * * * *', // every 10 seconds
-        onTick: appHealthMonitor.run.bind(null, 10, NOOP_CALLBACK),
-        start: true,
-        timeZone: tz
-    });
 }
 
-function boxAutoupdatePatternChanged(pattern) {
+function boxAutoupdatePatternChanged(pattern, tz) {
     assert.strictEqual(typeof pattern, 'string');
-    assert(gJobs.boxUpdateCheckerJob);
+    assert.strictEqual(typeof tz, 'string');
 
-    debug('Box auto update pattern changed to %s', pattern);
+    debug(`boxAutoupdatePatternChanged: pattern - ${pattern} (${tz})`);
 
     if (gJobs.boxAutoUpdater) gJobs.boxAutoUpdater.stop();
 
@@ -220,15 +212,15 @@ function boxAutoupdatePatternChanged(pattern) {
             }
         },
         start: true,
-        timeZone: gJobs.boxUpdateCheckerJob.cronTime.zone // hack
+        timeZone: tz
     });
 }
 
-function appAutoupdatePatternChanged(pattern) {
+function appAutoupdatePatternChanged(pattern, tz) {
     assert.strictEqual(typeof pattern, 'string');
-    assert(gJobs.boxUpdateCheckerJob);
+    assert.strictEqual(typeof tz, 'string');
 
-    debug('Apps auto update pattern changed to %s', pattern);
+    debug(`appAutoupdatePatternChanged: pattern ${pattern} (${tz})`);
 
     if (gJobs.appAutoUpdater) gJobs.appAutoUpdater.stop();
 
@@ -246,13 +238,12 @@ function appAutoupdatePatternChanged(pattern) {
             }
         },
         start: true,
-        timeZone: gJobs.boxUpdateCheckerJob.cronTime.zone // hack
+        timeZone: tz
     });
 }
 
 function dynamicDnsChanged(enabled) {
     assert.strictEqual(typeof enabled, 'boolean');
-    assert(gJobs.boxUpdateCheckerJob);
 
     debug('Dynamic DNS setting changed to %s', enabled);
 
@@ -260,8 +251,7 @@ function dynamicDnsChanged(enabled) {
         gJobs.dynamicDns = new CronJob({
             cronTime: '5 * * * * *',    // we only update the records if the ip has changed.
             onTick: dyndns.sync.bind(null, auditSource.CRON, NOOP_CALLBACK),
-            start: true,
-            timeZone: gJobs.boxUpdateCheckerJob.cronTime.zone // hack
+            start: true
         });
     } else {
         if (gJobs.dynamicDns) gJobs.dynamicDns.stop();

src/custom.js

@@ -1,66 +0,0 @@
-'use strict';
-
-let debug = require('debug')('box:custom'),
-    lodash = require('lodash'),
-    paths = require('./paths.js'),
-    safe = require('safetydance'),
-    yaml = require('js-yaml');
-
-exports = module.exports = {
-    uiSpec: uiSpec,
-    spec: spec
-};
-
-const DEFAULT_SPEC = {
-    appstore: {
-        blacklist: [],
-        whitelist: null // null imples, not set. this is an object and not an array
-    },
-    backups: {
-        configurable: true
-    },
-    domains: {
-        dynamicDns: true,
-        changeDashboardDomain: true
-    },
-    subscription: {
-        configurable: true
-    },
-    support: {
-        email: 'support@cloudron.io',
-        remoteSupport: true,
-        ticketFormBody:
-            'Use this form to open support tickets. You can also write directly to [support@cloudron.io](mailto:support@cloudron.io).\n\n'
-            + '* [Knowledge Base & App Docs](https://cloudron.io/documentation/apps/?support_view)\n'
-            + '* [Custom App Packaging & API](https://cloudron.io/developer/packaging/?support_view)\n'
-            + '* [Forum](https://forum.cloudron.io/)\n\n',
-        submitTickets: true
-    },
-    alerts: {
-        email: '',
-        notifyCloudronAdmins: true
-    },
-    footer: {
-        body: '&copy; 2019 [Cloudron](https://cloudron.io) [Forum <i class="fa fa-comments"></i>](https://forum.cloudron.io)'
-    }
-};
-
-const gSpec = (function () {
-    try {
-        if (!safe.fs.existsSync(paths.CUSTOM_FILE)) return DEFAULT_SPEC;
-        const c = yaml.safeLoad(safe.fs.readFileSync(paths.CUSTOM_FILE, 'utf8'));
-        return lodash.merge({}, DEFAULT_SPEC, c);
-    } catch (e) {
-        debug(`Error loading features file from ${paths.CUSTOM_FILE} : ${e.message}`);
-        return DEFAULT_SPEC;
-    }
-})();
-
-// flags sent to the UI. this is separate because we have values that are secret to the backend
-function uiSpec() {
-    return gSpec;
-}
-
-function spec() {
-    return gSpec;
-}

src/database.js

@@ -104,10 +104,7 @@ function clear(callback) {
         gDatabase.hostname, gDatabase.username, gDatabase.password, gDatabase.name,
         gDatabase.hostname, gDatabase.username, gDatabase.password, gDatabase.name);
 
-    async.series([
-        child_process.exec.bind(null, cmd),
-        require('./clients.js').addDefaultClients.bind(null, 'https://admin-localhost')
-    ], callback);
+    child_process.exec(cmd, callback);
 }
 
 function beginTransaction(callback) {
@@ -204,7 +201,11 @@ function exportToFile(file, callback) {
     assert.strictEqual(typeof file, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    var cmd = `/usr/bin/mysqldump -h "${gDatabase.hostname}" -u root -p${gDatabase.password} --single-transaction --routines --triggers ${gDatabase.name} > "${file}"`;
+    // latest mysqldump enables column stats by default which is not present in MySQL 5.7 server
+    // this option must not be set in production cloudrons which still use the old mysqldump
+    const disableColStats = (constants.TEST && process.env.DESKTOP_SESSION !== 'ubuntu') ? '--column-statistics=0' : '';
+
+    var cmd = `/usr/bin/mysqldump -h "${gDatabase.hostname}" -u root -p${gDatabase.password} ${disableColStats} --single-transaction --routines --triggers ${gDatabase.name} > "${file}"`;
 
     child_process.exec(cmd, callback);
 }

src/dns/caas.js

@@ -12,6 +12,7 @@ exports = module.exports = {
 
 var assert = require('assert'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/caas'),
     domains = require('../domains.js'),
     settings = require('../settings.js'),
@@ -31,7 +32,7 @@ function getFqdn(location, domain) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = domains.SECRET_PLACEHOLDER;
+    domainObject.config.token = constants.SECRET_PLACEHOLDER;
 
     // do not return the 'key'. in caas, this is private
     delete domainObject.fallbackCertificate.key;
@@ -40,7 +41,7 @@ function removePrivateFields(domainObject) {
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === domains.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
 }
 
 function upsert(domainObject, location, type, values, callback) {

src/dns/cloudflare.js

@@ -13,6 +13,7 @@ exports = module.exports = {
 var assert = require('assert'),
     async = require('async'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/cloudflare'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -25,12 +26,12 @@ var assert = require('assert'),
 var CLOUDFLARE_ENDPOINT = 'https://api.cloudflare.com/client/v4';
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = domains.SECRET_PLACEHOLDER;
+    domainObject.config.token = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === domains.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
 }
 
 function translateRequestError(result, callback) {
@@ -39,24 +40,43 @@ function translateRequestError(result, callback) {
 
     if (result.statusCode === 404) return callback(new BoxError(BoxError.NOT_FOUND, util.format('%s %j', result.statusCode, 'API does not exist')));
     if (result.statusCode === 422) return callback(new BoxError(BoxError.BAD_FIELD, result.body.message));
-    if ((result.statusCode === 400 || result.statusCode === 401 || result.statusCode === 403) && result.body.errors.length > 0) {
-        let error = result.body.errors[0];
-        let message = `message: ${error.message} statusCode: ${result.statusCode} code:${error.code}`;
+    if (result.statusCode === 400 || result.statusCode === 401 || result.statusCode === 403) {
+        let message = 'Unknown error';
+        if (typeof result.body.error === 'string') {
+            message = `message: ${result.body.error} statusCode: ${result.statusCode}`;
+        } else if (Array.isArray(result.body.errors) && result.body.errors.length > 0) {
+            let error = result.body.errors[0];
+            message = `message: ${error.message} statusCode: ${result.statusCode} code:${error.code}`;
+        }
         return callback(new BoxError(BoxError.ACCESS_DENIED, message));
     }
 
     callback(new BoxError(BoxError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
 }
 
+function createRequest(method, url, dnsConfig) {
+    assert.strictEqual(typeof method, 'string');
+    assert.strictEqual(typeof url, 'string');
+    assert.strictEqual(typeof dnsConfig, 'object');
+
+    let request = superagent(method, url)
+        .timeout(30 * 1000);
+
+    if (dnsConfig.tokenType === 'GlobalApiKey') {
+        request.set('X-Auth-Key', dnsConfig.token).set('X-Auth-Email', dnsConfig.email);
+    } else {
+        request.set('Authorization', 'Bearer ' + dnsConfig.token);
+    }
+
+    return request;
+}
+
 function getZoneByName(dnsConfig, zoneName, callback) {
     assert.strictEqual(typeof dnsConfig, 'object');
     assert.strictEqual(typeof zoneName, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    superagent.get(CLOUDFLARE_ENDPOINT + '/zones?name=' + zoneName + '&status=active')
-        .set('X-Auth-Key', dnsConfig.token)
-        .set('X-Auth-Email', dnsConfig.email)
-        .timeout(30 * 1000)
+    createRequest('GET', CLOUDFLARE_ENDPOINT + '/zones?name=' + zoneName + '&status=active', dnsConfig)
         .end(function (error, result) {
             if (error && !error.response) return callback(error);
             if (result.statusCode !== 200 || result.body.success !== true) return translateRequestError(result, callback);
@@ -74,11 +94,8 @@ function getDnsRecords(dnsConfig, zoneId, fqdn, type, callback) {
     assert.strictEqual(typeof type, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    superagent.get(CLOUDFLARE_ENDPOINT + '/zones/' + zoneId + '/dns_records')
-        .set('X-Auth-Key',dnsConfig.token)
-        .set('X-Auth-Email',dnsConfig.email)
+    createRequest('GET', CLOUDFLARE_ENDPOINT + '/zones/' + zoneId + '/dns_records', dnsConfig)
         .query({ type: type, name: fqdn })
-        .timeout(30 * 1000)
         .end(function (error, result) {
             if (error && !error.response) return callback(error);
             if (result.statusCode !== 200 || result.body.success !== true) return translateRequestError(result, callback);
@@ -132,11 +149,8 @@ function upsert(domainObject, location, type, values, callback) {
                 if (i >= dnsRecords.length) { // create a new record
                     debug(`upsert: Adding new record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: false`);
 
-                    superagent.post(CLOUDFLARE_ENDPOINT + '/zones/' + zoneId + '/dns_records')
-                        .set('X-Auth-Key', dnsConfig.token)
-                        .set('X-Auth-Email', dnsConfig.email)
+                    createRequest('POST', CLOUDFLARE_ENDPOINT + '/zones/' + zoneId + '/dns_records', dnsConfig)
                         .send(data)
-                        .timeout(30 * 1000)
                         .end(function (error, result) {
                             if (error && !error.response) return iteratorCallback(error);
                             if (result.statusCode !== 200 || result.body.success !== true) return translateRequestError(result, iteratorCallback);
@@ -148,11 +162,8 @@ function upsert(domainObject, location, type, values, callback) {
 
                     debug(`upsert: Updating existing record fqdn: ${fqdn}, zoneName: ${zoneName} proxied: ${data.proxied}`);
 
-                    superagent.put(CLOUDFLARE_ENDPOINT + '/zones/' + zoneId + '/dns_records/' + dnsRecords[i].id)
-                        .set('X-Auth-Key', dnsConfig.token)
-                        .set('X-Auth-Email', dnsConfig.email)
+                    createRequest('PUT', CLOUDFLARE_ENDPOINT + '/zones/' + zoneId + '/dns_records/' + dnsRecords[i].id, dnsConfig)
                         .send(data)
-                        .timeout(30 * 1000)
                         .end(function (error, result) {
                             ++i; // increment, as we have consumed the record
 
@@ -217,10 +228,7 @@ function del(domainObject, location, type, values, callback) {
             if (tmp.length === 0) return callback(null);
 
             async.eachSeries(tmp, function (record, callback) {
-                superagent.del(CLOUDFLARE_ENDPOINT + '/zones/'+ zoneId + '/dns_records/' + record.id)
-                    .set('X-Auth-Key', dnsConfig.token)
-                    .set('X-Auth-Email', dnsConfig.email)
-                    .timeout(30 * 1000)
+                createRequest('DELETE', CLOUDFLARE_ENDPOINT + '/zones/'+ zoneId + '/dns_records/' + record.id, dnsConfig)
                     .end(function (error, result) {
                         if (error && !error.response) return callback(error);
                         if (result.statusCode !== 200 || result.body.success !== true) return translateRequestError(result, callback);
@@ -277,14 +285,20 @@ function verifyDnsConfig(domainObject, callback) {
     const dnsConfig = domainObject.config,
         zoneName = domainObject.zoneName;
 
+    // token can be api token or global api key
     if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new BoxError(BoxError.BAD_FIELD, 'token must be a non-empty string', { field: 'token' }));
-    if (!dnsConfig.email || typeof dnsConfig.email !== 'string') return callback(new BoxError(BoxError.BAD_FIELD, 'email must be a non-empty string', { field: 'email' }));
+    if (dnsConfig.tokenType !== 'GlobalApiKey' && dnsConfig.tokenType !== 'ApiToken')  return callback(new BoxError(BoxError.BAD_FIELD, 'tokenType is required', { field: 'tokenType' }));
+
+    if (dnsConfig.tokenType === 'GlobalApiKey') {
+        if (typeof dnsConfig.email !== 'string') return callback(new BoxError(BoxError.BAD_FIELD, 'email must be a non-empty string', { field: 'email' }));
+    }
 
     const ip = '127.0.0.1';
 
     var credentials = {
         token: dnsConfig.token,
-        email: dnsConfig.email
+        tokenType: dnsConfig.tokenType,
+        email: dnsConfig.email || null
     };
 
     if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here

src/dns/digitalocean.js

@@ -13,6 +13,7 @@ exports = module.exports = {
 var assert = require('assert'),
     async = require('async'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/digitalocean'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -28,12 +29,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = domains.SECRET_PLACEHOLDER;
+    domainObject.config.token = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === domains.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
 }
 
 function getInternal(dnsConfig, zoneName, name, type, callback) {

src/dns/gandi.js

@@ -12,6 +12,7 @@ exports = module.exports = {
 
 var assert = require('assert'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/gandi'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -26,12 +27,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = domains.SECRET_PLACEHOLDER;
+    domainObject.config.token = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === domains.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
 }
 
 function upsert(domainObject, location, type, values, callback) {

src/dns/gcdns.js

@@ -12,6 +12,7 @@ exports = module.exports = {
 
 var assert = require('assert'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/gcdns'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -21,12 +22,12 @@ var assert = require('assert'),
     _ = require('underscore');
 
 function removePrivateFields(domainObject) {
-    domainObject.config.credentials.private_key = domains.SECRET_PLACEHOLDER;
+    domainObject.config.credentials.private_key = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.credentials.private_key === domains.SECRET_PLACEHOLDER && currentConfig.credentials) newConfig.credentials.private_key = currentConfig.credentials.private_key;
+    if (newConfig.credentials.private_key === constants.SECRET_PLACEHOLDER && currentConfig.credentials) newConfig.credentials.private_key = currentConfig.credentials.private_key;
 }
 
 function getDnsCredentials(dnsConfig) {

src/dns/godaddy.js

@@ -12,6 +12,7 @@ exports = module.exports = {
 
 var assert = require('assert'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/godaddy'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -32,12 +33,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.apiSecret = domains.SECRET_PLACEHOLDER;
+    domainObject.config.apiSecret = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.apiSecret === domains.SECRET_PLACEHOLDER) newConfig.apiSecret = currentConfig.apiSecret;
+    if (newConfig.apiSecret === constants.SECRET_PLACEHOLDER) newConfig.apiSecret = currentConfig.apiSecret;
 }
 
 function upsert(domainObject, location, type, values, callback) {

src/dns/interface.js

@@ -21,13 +21,13 @@ var assert = require('assert'),
     util = require('util');
 
 function removePrivateFields(domainObject) {
-    // in-place removal of tokens and api keys with domains.SECRET_PLACEHOLDER
+    // in-place removal of tokens and api keys with constants.SECRET_PLACEHOLDER
     return domainObject;
 }
 
 // eslint-disable-next-line no-unused-vars
 function injectPrivateFields(newConfig, currentConfig) {
-    // in-place injection of tokens and api keys which came in with domains.SECRET_PLACEHOLDER
+    // in-place injection of tokens and api keys which came in with constants.SECRET_PLACEHOLDER
 }
 
 function upsert(domainObject, location, type, values, callback) {

src/dns/linode.js

@@ -0,0 +1,310 @@
+'use strict';
+
+exports = module.exports = {
+    removePrivateFields: removePrivateFields,
+    injectPrivateFields: injectPrivateFields,
+    upsert: upsert,
+    get: get,
+    del: del,
+    wait: wait,
+    verifyDnsConfig: verifyDnsConfig
+};
+
+let async = require('async'),
+    assert = require('assert'),
+    constants = require('../constants.js'),
+    BoxError = require('../boxerror.js'),
+    debug = require('debug')('box:dns/linode'),
+    dns = require('../native-dns.js'),
+    domains = require('../domains.js'),
+    superagent = require('superagent'),
+    util = require('util'),
+    waitForDns = require('./waitfordns.js');
+
+const LINODE_ENDPOINT = 'https://api.linode.com/v4';
+
+function formatError(response) {
+    return util.format('Linode DNS error [%s] %j', response.statusCode, response.body);
+}
+
+function removePrivateFields(domainObject) {
+    domainObject.config.token = constants.SECRET_PLACEHOLDER;
+    return domainObject;
+}
+
+function injectPrivateFields(newConfig, currentConfig) {
+    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+}
+
+function getZoneId(dnsConfig, zoneName, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    // returns 100 at a time
+    superagent.get(`${LINODE_ENDPOINT}/domains`)
+        .set('Authorization', 'Bearer ' + dnsConfig.token)
+        .timeout(30 * 1000)
+        .retry(5)
+        .end(function (error, result) {
+            if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
+            if (result.statusCode === 403 || result.statusCode === 401) return callback(new BoxError(BoxError.ACCESS_DENIED, formatError(result)));
+            if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, formatError(result)));
+
+            if (!Array.isArray(result.body.data)) return callback(new BoxError(BoxError.EXTERNAL_ERROR, 'Invalid response'));
+
+            const zone = result.body.data.find(d => d.domain === zoneName);
+
+            if (!zone || !zone.id) return callback(new BoxError(BoxError.NOT_FOUND, 'Zone not found'));
+
+            debug(`getZoneId: zone id of ${zoneName} is ${zone.id}`);
+
+            callback(null, zone.id);
+        });
+}
+
+function getZoneRecords(dnsConfig, zoneName, name, type, callback) {
+    assert.strictEqual(typeof dnsConfig, 'object');
+    assert.strictEqual(typeof zoneName, 'string');
+    assert.strictEqual(typeof name, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug(`getInternal: getting dns records of ${zoneName} with ${name} and type ${type}`);
+
+    getZoneId(dnsConfig, zoneName, function (error, zoneId) {
+        if (error) return callback(error);
+
+        let page = 0, more = false;
+        let records = [];
+
+        async.doWhilst(function (iteratorDone) {
+            const url = `${LINODE_ENDPOINT}/domains/${zoneId}/records?page=${++page}`;
+
+            superagent.get(url)
+                .set('Authorization', 'Bearer ' + dnsConfig.token)
+                .timeout(30 * 1000)
+                .retry(5)
+                .end(function (error, result) {
+                    if (error && !error.response) return iteratorDone(new BoxError(BoxError.NETWORK_ERROR, error.message));
+                    if (result.statusCode === 404) return iteratorDone(new BoxError(BoxError.NOT_FOUND, formatError(result)));
+                    if (result.statusCode === 403 || result.statusCode === 401) return iteratorDone(new BoxError(BoxError.ACCESS_DENIED, formatError(result)));
+                    if (result.statusCode !== 200) return iteratorDone(new BoxError(BoxError.EXTERNAL_ERROR, formatError(result)));
+
+                    records = records.concat(result.body.data.filter(function (record) {
+                        return (record.type === type && record.name === name);
+                    }));
+
+                    more = result.body.page !== result.body.pages;
+
+                    iteratorDone();
+                });
+        }, function () { return more; }, function (error) {
+            debug('getZoneRecords:', error, JSON.stringify(records));
+
+            if (error) return callback(error);
+
+            callback(null, { zoneId, records });
+        });
+    });
+}
+
+function get(domainObject, location, type, callback) {
+    assert.strictEqual(typeof domainObject, 'object');
+    assert.strictEqual(typeof location, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    const dnsConfig = domainObject.config,
+        zoneName = domainObject.zoneName,
+        name = domains.getName(domainObject, location, type) || '';
+
+    getZoneRecords(dnsConfig, zoneName, name, type, function (error, { records }) {
+        if (error) return callback(error);
+
+        var tmp = records.map(function (record) { return record.target; });
+
+        debug('get: %j', tmp);
+
+        return callback(null, tmp);
+    });
+}
+
+function upsert(domainObject, location, type, values, callback) {
+    assert.strictEqual(typeof domainObject, 'object');
+    assert.strictEqual(typeof location, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    const dnsConfig = domainObject.config,
+        zoneName = domainObject.zoneName,
+        name = domains.getName(domainObject, location, type) || '';
+
+    debug('upsert: %s for zone %s of type %s with values %j', name, zoneName, type, values);
+
+    getZoneRecords(dnsConfig, zoneName, name, type, function (error, { zoneId, records }) {
+        if (error) return callback(error);
+
+        let i = 0, recordIds = []; // used to track available records to update instead of create
+
+        async.eachSeries(values, function (value, iteratorCallback) {
+            let data = {
+                type: type,
+                ttl_sec: 300 // lowest
+            };
+
+            if (type === 'MX') {
+                data.priority = parseInt(value.split(' ')[0], 10);
+                data.target = value.split(' ')[1];
+            } else if (type === 'TXT') {
+                data.target = value.replace(/^"(.*)"$/, '$1'); // strip any double quotes
+            } else {
+                data.target = value;
+            }
+
+            if (i >= records.length) {
+                data.name = name; // only set for new records
+
+                superagent.post(`${LINODE_ENDPOINT}/domains/${zoneId}/records`)
+                    .set('Authorization', 'Bearer ' + dnsConfig.token)
+                    .send(data)
+                    .timeout(30 * 1000)
+                    .retry(5)
+                    .end(function (error, result) {
+                        if (error && !error.response) return iteratorCallback(new BoxError(BoxError.NETWORK_ERROR, error.message));
+                        if (result.statusCode === 400) return iteratorCallback(new BoxError(BoxError.BAD_FIELD, formatError(result)));
+                        if (result.statusCode === 403 || result.statusCode === 401) return iteratorCallback(new BoxError(BoxError.ACCESS_DENIED, formatError(result)));
+                        if (result.statusCode !== 200) return iteratorCallback(new BoxError(BoxError.EXTERNAL_ERROR, formatError(result)));
+
+                        recordIds.push(result.body.id);
+
+                        return iteratorCallback(null);
+                    });
+            } else {
+                superagent.put(`${LINODE_ENDPOINT}/domains/${zoneId}/records/${records[i].id}`)
+                    .set('Authorization', 'Bearer ' + dnsConfig.token)
+                    .send(data)
+                    .timeout(30 * 1000)
+                    .retry(5)
+                    .end(function (error, result) {
+                        // increment, as we have consumed the record
+                        ++i;
+
+                        if (error && !error.response) return iteratorCallback(new BoxError(BoxError.NETWORK_ERROR, error.message));
+                        if (result.statusCode === 400) return iteratorCallback(new BoxError(BoxError.BAD_FIELD, formatError(result)));
+                        if (result.statusCode === 403 || result.statusCode === 401) return iteratorCallback(new BoxError(BoxError.ACCESS_DENIED, formatError(result)));
+                        if (result.statusCode !== 200) return iteratorCallback(new BoxError(BoxError.EXTERNAL_ERROR, formatError(result)));
+
+                        recordIds.push(result.body.id);
+
+                        return iteratorCallback(null);
+                    });
+            }
+        }, function (error) {
+            if (error) return callback(error);
+
+            debug('upsert: completed with recordIds:%j', recordIds);
+
+            callback();
+        });
+    });
+}
+
+function del(domainObject, location, type, values, callback) {
+    assert.strictEqual(typeof domainObject, 'object');
+    assert.strictEqual(typeof location, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert(util.isArray(values));
+    assert.strictEqual(typeof callback, 'function');
+
+    const dnsConfig = domainObject.config,
+        zoneName = domainObject.zoneName,
+        name = domains.getName(domainObject, location, type) || '';
+
+    getZoneRecords(dnsConfig, zoneName, name, type, function (error, { zoneId, records }) {
+        if (error) return callback(error);
+
+        if (records.length === 0) return callback(null);
+
+        var tmp = records.filter(function (record) { return values.some(function (value) { return value === record.target; }); });
+
+        debug('del: %j', tmp);
+
+        if (tmp.length === 0) return callback(null);
+
+        // FIXME we only handle the first one currently
+
+        superagent.del(`${LINODE_ENDPOINT}/domains/${zoneId}/records/${tmp[0].id}`)
+            .set('Authorization', 'Bearer ' + dnsConfig.token)
+            .timeout(30 * 1000)
+            .retry(5)
+            .end(function (error, result) {
+                if (error && !error.response) return callback(new BoxError(BoxError.NETWORK_ERROR, error.message));
+                if (result.statusCode === 404) return callback(null);
+                if (result.statusCode === 403 || result.statusCode === 401) return callback(new BoxError(BoxError.ACCESS_DENIED, formatError(result)));
+                if (result.statusCode !== 200) return callback(new BoxError(BoxError.EXTERNAL_ERROR, formatError(result)));
+
+                debug('del: done');
+
+                return callback(null);
+            });
+    });
+}
+
+function wait(domainObject, location, type, value, options, callback) {
+    assert.strictEqual(typeof domainObject, 'object');
+    assert.strictEqual(typeof location, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof value, 'string');
+    assert(options && typeof options === 'object'); // { interval: 5000, times: 50000 }
+    assert.strictEqual(typeof callback, 'function');
+
+    const fqdn = domains.fqdn(location, domainObject);
+
+    waitForDns(fqdn, domainObject.zoneName, type, value, options, callback);
+}
+
+function verifyDnsConfig(domainObject, callback) {
+    assert.strictEqual(typeof domainObject, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    const dnsConfig = domainObject.config,
+        zoneName = domainObject.zoneName;
+
+    if (!dnsConfig.token || typeof dnsConfig.token !== 'string') return callback(new BoxError(BoxError.BAD_FIELD, 'token must be a non-empty string', { field: 'token' }));
+
+    const ip = '127.0.0.1';
+
+    var credentials = {
+        token: dnsConfig.token
+    };
+
+    if (process.env.BOX_ENV === 'test') return callback(null, credentials); // this shouldn't be here
+
+    dns.resolve(zoneName, 'NS', { timeout: 5000 }, function (error, nameservers) {
+        if (error && error.code === 'ENOTFOUND') return callback(new BoxError(BoxError.BAD_FIELD, 'Unable to resolve nameservers for this domain', { field: 'nameservers' }));
+        if (error || !nameservers) return callback(new BoxError(BoxError.BAD_FIELD, error ? error.message : 'Unable to get nameservers', { field: 'nameservers' }));
+
+        if (nameservers.map(function (n) { return n.toLowerCase(); }).indexOf('ns1.linode.com') === -1) {
+            debug('verifyDnsConfig: %j does not contains DO NS', nameservers);
+            return callback(new BoxError(BoxError.BAD_FIELD, 'Domain nameservers are not set to Linode', { field: 'nameservers' }));
+        }
+
+        const location = 'cloudrontestdns';
+
+        upsert(domainObject, location, 'A', [ ip ], function (error) {
+            if (error) return callback(error);
+
+            debug('verifyDnsConfig: Test A record added');
+
+            del(domainObject, location, 'A', [ ip ], function (error) {
+                if (error) return callback(error);
+
+                debug('verifyDnsConfig: Test A record removed again');
+
+                callback(null, credentials);
+            });
+        });
+    });
+}

src/dns/namecheap.js

@@ -12,6 +12,7 @@ exports = module.exports = {
 
 var assert = require('assert'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/namecheap'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -25,12 +26,12 @@ var assert = require('assert'),
 const ENDPOINT = 'https://api.namecheap.com/xml.response';
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = domains.SECRET_PLACEHOLDER;
+    domainObject.config.token = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === domains.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
 }
 
 function getQuery(dnsConfig, callback) {

src/dns/namecom.js

@@ -12,6 +12,7 @@ exports = module.exports = {
 
 var assert = require('assert'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/namecom'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -27,12 +28,12 @@ function formatError(response) {
 }
 
 function removePrivateFields(domainObject) {
-    domainObject.config.token = domains.SECRET_PLACEHOLDER;
+    domainObject.config.token = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.token === domains.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
+    if (newConfig.token === constants.SECRET_PLACEHOLDER) newConfig.token = currentConfig.token;
 }
 
 function addRecord(dnsConfig, zoneName, name, type, values, callback) {
@@ -54,6 +55,10 @@ function addRecord(dnsConfig, zoneName, name, type, values, callback) {
     if (type === 'MX') {
         data.priority = parseInt(values[0].split(' ')[0], 10);
         data.answer = values[0].split(' ')[1];
+    } else if (type === 'TXT') {
+        // we have to strip the quoting for some odd reason for name.com! If you change that also change updateRecord
+        let tmp = values[0];
+        data.answer = tmp.indexOf('"') === 0 && tmp.lastIndexOf('"') === tmp.length-1 ? tmp.slice(1, tmp.length-1) : tmp;
     } else {
         data.answer = values[0];
     }
@@ -91,6 +96,10 @@ function updateRecord(dnsConfig, zoneName, recordId, name, type, values, callbac
     if (type === 'MX') {
         data.priority = parseInt(values[0].split(' ')[0], 10);
         data.answer = values[0].split(' ')[1];
+    } else if (type === 'TXT') {
+        // we have to strip the quoting for some odd reason for name.com! If you change that also change addRecord
+        let tmp = values[0];
+        data.answer = tmp.indexOf('"') === 0 && tmp.lastIndexOf('"') === tmp.length-1 ? tmp.slice(1, tmp.length-1) : tmp;
     } else {
         data.answer = values[0];
     }

src/dns/route53.js

@@ -13,6 +13,7 @@ exports = module.exports = {
 var assert = require('assert'),
     AWS = require('aws-sdk'),
     BoxError = require('../boxerror.js'),
+    constants = require('../constants.js'),
     debug = require('debug')('box:dns/route53'),
     dns = require('../native-dns.js'),
     domains = require('../domains.js'),
@@ -21,12 +22,12 @@ var assert = require('assert'),
     _ = require('underscore');
 
 function removePrivateFields(domainObject) {
-    domainObject.config.secretAccessKey = domains.SECRET_PLACEHOLDER;
+    domainObject.config.secretAccessKey = constants.SECRET_PLACEHOLDER;
     return domainObject;
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.secretAccessKey === domains.SECRET_PLACEHOLDER) newConfig.secretAccessKey = currentConfig.secretAccessKey;
+    if (newConfig.secretAccessKey === constants.SECRET_PLACEHOLDER) newConfig.secretAccessKey = currentConfig.secretAccessKey;
 }
 
 function getDnsCredentials(dnsConfig) {

src/docker.js

@@ -6,14 +6,13 @@ exports = module.exports = {
     injectPrivateFields: injectPrivateFields,
     removePrivateFields: removePrivateFields,
 
-    SECRET_PLACEHOLDER: String.fromCharCode(0x25CF).repeat(8),
-
     ping: ping,
 
     info: info,
     downloadImage: downloadImage,
     createContainer: createContainer,
     startContainer: startContainer,
+    restartContainer: restartContainer,
     stopContainer: stopContainer,
     stopContainerByName: stopContainer,
     stopContainers: stopContainers,
@@ -72,13 +71,13 @@ function testRegistryConfig(auth, callback) {
 }
 
 function injectPrivateFields(newConfig, currentConfig) {
-    if (newConfig.password === exports.SECRET_PLACEHOLDER) newConfig.password = currentConfig.password;
+    if (newConfig.password === constants.SECRET_PLACEHOLDER) newConfig.password = currentConfig.password;
 }
 
 function removePrivateFields(registryConfig) {
     assert.strictEqual(typeof registryConfig, 'object');
 
-    if (registryConfig.password) registryConfig.password = exports.SECRET_PLACEHOLDER;
+    if (registryConfig.password) registryConfig.password = constants.SECRET_PLACEHOLDER;
 
     return registryConfig;
 }
@@ -107,9 +106,10 @@ function ping(callback) {
 
     connection.ping(function (error, result) {
         if (error) return callback(new BoxError(BoxError.DOCKER_ERROR, error));
-        if (result !== 'OK') return callback(new BoxError(BoxError.DOCKER_ERROR, 'Unable to ping the docker daemon'));
+        if (Buffer.isBuffer(result) && result.toString('utf8') === 'OK') return callback(null); // sometimes it returns buffer
+        if (result === 'OK') return callback(null);
 
-        callback(null);
+        callback(new BoxError(BoxError.DOCKER_ERROR, 'Unable to ping the docker daemon'));
     });
 }
 
@@ -141,7 +141,8 @@ function pullImage(manifest, callback) {
         debug(`pullImage: will pull ${manifest.dockerImage}. auth: ${authConfig ? 'yes' : 'no'}`);
 
         gConnection.pull(manifest.dockerImage, { authconfig: authConfig }, function (error, stream) {
-            if (error) return callback(new BoxError(BoxError.DOCKER_ERROR, 'Unable to pull image. Please check the network or if the image needs authentication. statusCode: ' + error.statusCode));
+            if (error && error.statusCode === 404) return callback(new BoxError(BoxError.NOT_FOUND, `Unable to pull image ${manifest.dockerImage}. message: ${error.message} statusCode: ${error.statusCode}`));
+            if (error) return callback(new BoxError(BoxError.DOCKER_ERROR, `Unable to pull image ${manifest.dockerImage}. Please check the network or if the image needs authentication. statusCode: ${error.statusCode}`));
 
             // https://github.com/dotcloud/docker/issues/1074 says each status message
             // is emitted as a chunk
@@ -178,17 +179,26 @@ function downloadImage(manifest, callback) {
 
     var attempt = 1;
 
-    async.retry({ times: 10, interval: 15000 }, function (retryCallback) {
+    async.retry({ times: 10, interval: 5000, errorFilter: e => e.reason !== BoxError.NOT_FOUND }, function (retryCallback) {
         debug('Downloading image %s. attempt: %s', manifest.dockerImage, attempt++);
 
-        pullImage(manifest, function (error) {
-            if (error) console.error(error);
-
-            retryCallback(error);
-        });
+        pullImage(manifest, retryCallback);
     }, callback);
 }
 
+function getBindsSync(app) {
+    assert.strictEqual(typeof app, 'object');
+
+    let binds = [];
+
+    for (let name of Object.keys(app.binds)) {
+        const bind = app.binds[name];
+        binds.push(`${bind.hostPath}:/media/${name}:${bind.readOnly ? 'ro' : 'rw'}`);
+    }
+
+    return binds;
+}
+
 function createSubcontainer(app, name, cmd, options, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof name, 'string');
@@ -278,6 +288,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
             },
             HostConfig: {
                 Mounts: addons.getMountsSync(app, app.manifest.addons),
+                Binds: getBindsSync(app), // ideally, we have to use 'Mounts' but we have to create volumes then
                 LogConfig: {
                     Type: 'syslog',
                     Config: {
@@ -295,12 +306,13 @@ function createSubcontainer(app, name, cmd, options, callback) {
                     'Name': isAppContainer ? 'unless-stopped' : 'no',
                     'MaximumRetryCount': 0
                 },
-                CpuShares: 512, // relative to 1024 for system processes
+                CpuShares: app.cpuShares,
                 VolumesFrom: isAppContainer ? null : [ app.containerId + ':rw' ],
                 NetworkMode: 'cloudron', // user defined bridge network
                 Dns: ['172.18.0.1'], // use internal dns
                 DnsSearch: ['.'], // use internal dns
-                SecurityOpt: [ 'apparmor=docker-cloudron-app' ]
+                SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
+                CapDrop: [ 'NET_RAW' ] // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
             },
             NetworkingConfig: {
                 EndpointsConfig: {
@@ -314,7 +326,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
         var capabilities = manifest.capabilities || [];
         if (capabilities.includes('net_admin')) {
             containerOptions.HostConfig.CapAdd = [
-                'NET_ADMIN'
+                'NET_ADMIN', 'NET_RAW'
             ];
         }
 
@@ -344,7 +356,23 @@ function startContainer(containerId, callback) {
     container.start(function (error) {
         if (error && error.statusCode === 404) return callback(new BoxError(BoxError.NOT_FOUND));
         if (error && error.statusCode === 400) return callback(new BoxError(BoxError.BAD_FIELD, error)); // e.g start.sh is not executable
-        if (error && error.statusCode !== 304) return callback(new BoxError(BoxError.DOCKER_ERROR, error));
+        if (error && error.statusCode !== 304) return callback(new BoxError(BoxError.DOCKER_ERROR, error)); // 304 means already started
+
+        return callback(null);
+    });
+}
+
+function restartContainer(containerId, callback) {
+    assert.strictEqual(typeof containerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var container = gConnection.getContainer(containerId);
+    debug('Restarting container %s', containerId);
+
+    container.restart(function (error) {
+        if (error && error.statusCode === 404) return callback(new BoxError(BoxError.NOT_FOUND));
+        if (error && error.statusCode === 400) return callback(new BoxError(BoxError.BAD_FIELD, error)); // e.g start.sh is not executable
+        if (error && error.statusCode !== 204) return callback(new BoxError(BoxError.DOCKER_ERROR, error));
 
         return callback(null);
     });
@@ -431,7 +459,7 @@ function stopContainers(appId, callback) {
     assert.strictEqual(typeof appId, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    debug('stopping containers of %s', appId);
+    debug('Stopping containers of %s', appId);
 
     gConnection.listContainers({ all: 1, filters: JSON.stringify({ label: [ 'appId=' + appId ] }) }, function (error, containers) {
         if (error) return callback(new BoxError(BoxError.DOCKER_ERROR, error));
@@ -558,10 +586,10 @@ function memoryUsage(containerId, callback) {
     });
 }
 
-function createVolume(app, name, volumeDataDir, callback) {
-    assert.strictEqual(typeof app, 'object');
+function createVolume(name, volumeDataDir, labels, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof volumeDataDir, 'string');
+    assert.strictEqual(typeof labels, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     const volumeOptions = {
@@ -572,10 +600,7 @@ function createVolume(app, name, volumeDataDir, callback) {
             device: volumeDataDir,
             o: 'bind'
         },
-        Labels: {
-            'fqdn': app.fqdn,
-            'appId': app.id
-        },
+        Labels: labels
     };
 
     // requires sudo because the path can be outside appsdata
@@ -590,8 +615,7 @@ function createVolume(app, name, volumeDataDir, callback) {
     });
 }
 
-function clearVolume(app, name, options, callback) {
-    assert.strictEqual(typeof app, 'object');
+function clearVolume(name, options, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof options, 'object');
     assert.strictEqual(typeof callback, 'function');
@@ -611,14 +635,13 @@ function clearVolume(app, name, options, callback) {
 }
 
 // this only removes the volume and not the data
-function removeVolume(app, name, callback) {
-    assert.strictEqual(typeof app, 'object');
+function removeVolume(name, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof callback, 'function');
 
     let volume = gConnection.getVolume(name);
     volume.remove(function (error) {
-        if (error && error.statusCode !== 404) return callback(new BoxError(BoxError.DOCKER_ERROR, `removeVolume: Error removing volume of ${app.id} ${error.message}`));
+        if (error && error.statusCode !== 404) return callback(new BoxError(BoxError.DOCKER_ERROR, `removeVolume: Error removing volume: ${error.message}`));
 
         callback();
     });

src/dockerproxy.js

@@ -23,11 +23,6 @@ var apps = require('./apps.js'),
 var gHttpServer = null;
 
 function authorizeApp(req, res, next) {
-    // TODO add here some authorization
-    // - block apps not using the docker addon
-    // - block calls regarding platform containers
-    // - only allow managing and inspection of containers belonging to the app
-
     // make the tests pass for now
     if (constants.TEST) {
         req.app = { id: 'testappid' };
@@ -64,6 +59,8 @@ function attachDockerRequest(req, res, next) {
         dockerResponse.pipe(res, { end: true });
     });
 
+    req.dockerRequest.on('error', () => {}); // abort() throws
+
     next();
 }
 
@@ -74,22 +71,21 @@ function containersCreate(req, res, next) {
     safe.set(req.body, 'Labels',  _.extend({ }, safe.query(req.body, 'Labels'), { appId: req.app.id, isCloudronManaged: String(false) }));    // overwrite the app id to track containers of an app
     safe.set(req.body, 'HostConfig.LogConfig', { Type: 'syslog', Config: { 'tag': req.app.id, 'syslog-address': 'udp://127.0.0.1:2514', 'syslog-format': 'rfc5424' }});
 
-    const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data'),
-        dockerDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'docker');
+    const appDataDir = path.join(paths.APPS_DATA_DIR, req.app.id, 'data');
 
-    debug('Original volume binds:', req.body.HostConfig.Binds);
+    debug('Original bind mounts:', req.body.HostConfig.Binds);
 
     let binds = [];
     for (let bind of (req.body.HostConfig.Binds || [])) {
-        if (bind.startsWith(appDataDir)) binds.push(bind); // eclipse will inspect docker to find out the host folders and pass that to child containers
-        else if (bind.startsWith('/app/data')) binds.push(bind.replace(new RegExp('^/app/data'), appDataDir));
-        else binds.push(`${dockerDataDir}/${bind}`);
+        if (!bind.startsWith('/app/data/')) {
+            req.dockerRequest.abort();
+            return next(new HttpError(400, 'Binds must be under /app/data/'));
+        }
+
+        binds.push(bind.replace(new RegExp('^/app/data/'), appDataDir + '/'));
     }
 
-    // cleanup the paths from potential double slashes
-    binds = binds.map(function (bind) { return bind.replace(/\/+/g, '/'); });
-
-    debug('Rewritten volume binds:', binds);
+    debug('Rewritten bind mounts:', binds);
     safe.set(req.body, 'HostConfig.Binds', binds);
 
     let plainBody = JSON.stringify(req.body);
@@ -117,6 +113,9 @@ function start(callback) {
     assert(gHttpServer === null, 'Already started');
 
     let json = middleware.json({ strict: true });
+
+    // we protect container create as the app/admin can otherwise mount random paths (like the ghost file)
+    // protected other paths is done by preventing install/exec access of apps using docker addon
     let router = new express.Router();
     router.post('/:version/containers/create', containersCreate);
 
@@ -137,7 +136,7 @@ function start(callback) {
         .use(middleware.lastMile());
 
     gHttpServer = http.createServer(proxyServer);
-    gHttpServer.listen(constants.DOCKER_PROXY_PORT, '0.0.0.0', callback);
+    gHttpServer.listen(constants.DOCKER_PROXY_PORT, '172.18.0.1', callback);
 
     // Overwrite the default 2min request timeout. This is required for large builds for example
     gHttpServer.setTimeout(60 * 60 * 1000);

src/domaindb.js

@@ -16,7 +16,7 @@ var assert = require('assert'),
     database = require('./database.js'),
     safe = require('safetydance');
 
-var DOMAINS_FIELDS = [ 'domain', 'zoneName', 'provider', 'configJson', 'tlsConfigJson', 'locked' ].join(',');
+var DOMAINS_FIELDS = [ 'domain', 'zoneName', 'provider', 'configJson', 'tlsConfigJson' ].join(',');
 
 function postProcess(data) {
     data.config = safe.JSON.parse(data.configJson);
@@ -24,8 +24,6 @@ function postProcess(data) {
     delete data.configJson;
     delete data.tlsConfigJson;
 
-    data.locked = !!data.locked; // make it bool
-
     return data;
 }
 
@@ -53,16 +51,21 @@ function getAll(callback) {
     });
 }
 
-function add(name, domain, callback) {
+function add(name, data, callback) {
     assert.strictEqual(typeof name, 'string');
-    assert.strictEqual(typeof domain, 'object');
-    assert.strictEqual(typeof domain.zoneName, 'string');
-    assert.strictEqual(typeof domain.provider, 'string');
-    assert.strictEqual(typeof domain.config, 'object');
-    assert.strictEqual(typeof domain.tlsConfig, 'object');
+    assert.strictEqual(typeof data, 'object');
+    assert.strictEqual(typeof data.zoneName, 'string');
+    assert.strictEqual(typeof data.provider, 'string');
+    assert.strictEqual(typeof data.config, 'object');
+    assert.strictEqual(typeof data.tlsConfig, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    database.query('INSERT INTO domains (domain, zoneName, provider, configJson, tlsConfigJson) VALUES (?, ?, ?, ?, ?)', [ name, domain.zoneName, domain.provider, JSON.stringify(domain.config), JSON.stringify(domain.tlsConfig) ], function (error) {
+    let queries = [
+        { query: 'INSERT INTO domains (domain, zoneName, provider, configJson, tlsConfigJson) VALUES (?, ?, ?, ?, ?)', args: [ name, data.zoneName, data.provider, JSON.stringify(data.config), JSON.stringify(data.tlsConfig) ] },
+        { query: 'INSERT INTO mail (domain, dkimSelector) VALUES (?, ?)', args: [ name, data.dkimSelector || 'cloudron' ] },
+    ];
+
+    database.transaction(queries, function (error) {
         if (error && error.code === 'ER_DUP_ENTRY') return callback(new BoxError(BoxError.ALREADY_EXISTS, error));
         if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
 
@@ -102,10 +105,22 @@ function del(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    database.query('DELETE FROM domains WHERE domain=?', [ domain ], function (error, result) {
-        if (error && error.code === 'ER_ROW_IS_REFERENCED_2') return callback(new BoxError(BoxError.CONFLICT));
+    let queries = [
+        { query: 'DELETE FROM mail WHERE domain = ?', args: [ domain ] },
+        { query: 'DELETE FROM domains WHERE domain = ?', args: [ domain ] },
+    ];
+
+    database.transaction(queries, function (error, results) {
+        if (error && error.code === 'ER_ROW_IS_REFERENCED_2') {
+            if (error.message.indexOf('apps_mailDomain_constraint') !== -1) return callback(new BoxError(BoxError.CONFLICT, 'Domain is in use by an app or the mailbox of an app. Check the domains of apps and the Email section of each app.'));
+            if (error.message.indexOf('subdomains') !== -1) return callback(new BoxError(BoxError.CONFLICT, 'Domain is in use by one or more app(s).'));
+            if (error.message.indexOf('mail') !== -1) return callback(new BoxError(BoxError.CONFLICT, 'Domain is in use by one or more mailboxes. Delete them first in the Email view.'));
+
+            return callback(new BoxError(BoxError.CONFLICT, error.message));
+        }
+
         if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.affectedRows === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'Domain not found'));
+        if (results[1].affectedRows !== 1) return callback(new BoxError(BoxError.NOT_FOUND, 'Domain not found'));
 
         callback(null);
     });

src/domains.js

@@ -28,9 +28,7 @@ module.exports = exports = {
 
     checkDnsRecords: checkDnsRecords,
 
-    prepareDashboardDomain: prepareDashboardDomain,
-
-    SECRET_PLACEHOLDER: String.fromCharCode(0x25CF).repeat(8)
+    prepareDashboardDomain: prepareDashboardDomain
 };
 
 var assert = require('assert'),
@@ -40,6 +38,7 @@ var assert = require('assert'),
     debug = require('debug')('box:domains'),
     domaindb = require('./domaindb.js'),
     eventlog = require('./eventlog.js'),
+    mail = require('./mail.js'),
     reverseProxy = require('./reverseproxy.js'),
     safe = require('safetydance'),
     settings = require('./settings.js'),
@@ -48,6 +47,8 @@ var assert = require('assert'),
     util = require('util'),
     _ = require('underscore');
 
+const NOOP_CALLBACK = function (error) { if (error) debug(error); };
+
 // choose which subdomain backend we use for test purpose we use route53
 function api(provider) {
     assert.strictEqual(typeof provider, 'string');
@@ -60,6 +61,7 @@ function api(provider) {
     case 'digitalocean': return require('./dns/digitalocean.js');
     case 'gandi': return require('./dns/gandi.js');
     case 'godaddy': return require('./dns/godaddy.js');
+    case 'linode': return require('./dns/linode.js');
     case 'namecom': return require('./dns/namecom.js');
     case 'namecheap': return require('./dns/namecheap.js');
     case 'noop': return require('./dns/noop.js');
@@ -86,9 +88,9 @@ function verifyDnsConfig(dnsConfig, domain, zoneName, provider, callback) {
 
     const domainObject = { config: dnsConfig, domain: domain, zoneName: zoneName };
     api(provider).verifyDnsConfig(domainObject, function (error, result) {
-        if (error && error.reason === BoxError.ACCESS_DENIED) return callback(new BoxError(BoxError.BAD_FIELD, 'Incorrect configuration. Access denied'));
-        if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.BAD_FIELD, 'Zone not found'));
-        if (error && error.reason === BoxError.EXTERNAL_ERROR) return callback(new BoxError(BoxError.BAD_FIELD, 'Configuration error: ' + error.message));
+        if (error && error.reason === BoxError.ACCESS_DENIED) return callback(new BoxError(BoxError.BAD_FIELD, `Access denied: ${error.message}`));
+        if (error && error.reason === BoxError.NOT_FOUND) return callback(new BoxError(BoxError.BAD_FIELD, `Zone not found: ${error.message}`));
+        if (error && error.reason === BoxError.EXTERNAL_ERROR) return callback(new BoxError(BoxError.BAD_FIELD, `Configuration error: ${error.message}`));
         if (error) return callback(error);
 
         result.hyphenatedSubdomains = !!dnsConfig.hyphenatedSubdomains;
@@ -170,7 +172,7 @@ function add(domain, data, auditSource, callback) {
     assert.strictEqual(typeof data.tlsConfig, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    let { zoneName, provider, config, fallbackCertificate, tlsConfig } = data;
+    let { zoneName, provider, config, fallbackCertificate, tlsConfig, dkimSelector } = data;
 
     if (!tld.isValid(domain)) return callback(new BoxError(BoxError.BAD_FIELD, 'Invalid domain', { field: 'domain' }));
     if (domain.endsWith('.')) return callback(new BoxError(BoxError.BAD_FIELD, 'Invalid domain', { field: 'domain' }));
@@ -193,10 +195,12 @@ function add(domain, data, auditSource, callback) {
     let error = validateTlsConfig(tlsConfig, provider);
     if (error) return callback(error);
 
+    if (!dkimSelector) dkimSelector = 'cloudron-' + settings.adminDomain().replace(/\./g, '');
+
     verifyDnsConfig(config, domain, zoneName, provider, function (error, sanitizedConfig) {
         if (error) return callback(error);
 
-        domaindb.add(domain, { zoneName: zoneName, provider: provider, config: sanitizedConfig, tlsConfig: tlsConfig }, function (error) {
+        domaindb.add(domain, { zoneName, provider, config: sanitizedConfig, tlsConfig, dkimSelector }, function (error) {
             if (error) return callback(error);
 
             reverseProxy.setFallbackCertificate(domain, fallbackCertificate, function (error) {
@@ -204,6 +208,8 @@ function add(domain, data, auditSource, callback) {
 
                 eventlog.add(eventlog.ACTION_DOMAIN_ADD, auditSource, { domain, zoneName, provider });
 
+                mail.onDomainAdded(domain, NOOP_CALLBACK);
+
                 callback();
             });
         });
@@ -253,6 +259,8 @@ function update(domain, data, auditSource, callback) {
 
     let { zoneName, provider, config, fallbackCertificate, tlsConfig } = data;
 
+    if (settings.isDemo() && (domain === settings.adminDomain())) return callback(new BoxError(BoxError.CONFLICT, 'Not allowed in demo mode'));
+
     domaindb.get(domain, function (error, domainObject) {
         if (error) return callback(error);
 
@@ -311,6 +319,8 @@ function del(domain, auditSource, callback) {
 
         eventlog.add(eventlog.ACTION_DOMAIN_REMOVE, auditSource, { domain });
 
+        mail.onDomainRemoved(domain, NOOP_CALLBACK);
+
         return callback(null);
     });
 }
@@ -434,19 +444,22 @@ function waitForDnsRecord(location, domain, type, value, options, callback) {
     get(domain, function (error, domainObject) {
         if (error) return callback(error);
 
+        // linode DNS takes ~15mins
+        if (!options.interval) options.interval = domainObject.provider === 'linode' ? 20000 : 5000;
+
         api(domainObject.provider).wait(domainObject, location, type, value, options, callback);
     });
 }
 
 // removes all fields that are strictly private and should never be returned by API calls
 function removePrivateFields(domain) {
-    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate', 'locked');
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'config', 'tlsConfig', 'fallbackCertificate');
     return api(result.provider).removePrivateFields(result);
 }
 
 // removes all fields that are not accessible by a normal user
 function removeRestrictedFields(domain) {
-    var result = _.pick(domain, 'domain', 'zoneName', 'provider', 'locked');
+    var result = _.pick(domain, 'domain', 'zoneName', 'provider');
 
     // always ensure config object
     result.config = { hyphenatedSubdomains: !!domain.config.hyphenatedSubdomains };

src/eventlog.js

@@ -7,7 +7,7 @@ exports = module.exports = {
     getByCreationTime: getByCreationTime,
     cleanup: cleanup,
 
-    // keep in sync with webadmin index.js filter and CLI tool
+    // keep in sync with webadmin index.js filter
     ACTION_ACTIVATE: 'cloudron.activate',
     ACTION_APP_CLONE: 'app.clone',
     ACTION_APP_CONFIGURE: 'app.configure',
@@ -21,6 +21,9 @@ exports = module.exports = {
     ACTION_APP_OOM: 'app.oom',
     ACTION_APP_UP: 'app.up',
     ACTION_APP_DOWN: 'app.down',
+    ACTION_APP_START: 'app.start',
+    ACTION_APP_STOP: 'app.stop',
+    ACTION_APP_RESTART: 'app.restart',
 
     ACTION_BACKUP_FINISH: 'backup.finish',
     ACTION_BACKUP_START: 'backup.start',
@@ -40,8 +43,10 @@ exports = module.exports = {
     ACTION_MAIL_DISABLED: 'mail.disabled',
     ACTION_MAIL_MAILBOX_ADD: 'mail.box.add',
     ACTION_MAIL_MAILBOX_REMOVE: 'mail.box.remove',
+    ACTION_MAIL_MAILBOX_UPDATE: 'mail.box.update',
     ACTION_MAIL_LIST_ADD: 'mail.list.add',
     ACTION_MAIL_LIST_REMOVE: 'mail.list.remove',
+    ACTION_MAIL_LIST_UPDATE: 'mail.list.update',
 
     ACTION_PROVISION: 'cloudron.provision',
     ACTION_RESTORE: 'cloudron.restore', // unused
@@ -57,6 +62,9 @@ exports = module.exports = {
 
     ACTION_DYNDNS_UPDATE: 'dyndns.update',
 
+    ACTION_SUPPORT_TICKET: 'support.ticket',
+    ACTION_SUPPORT_SSH: 'support.ssh',
+
     ACTION_PROCESS_CRASH: 'system.crash'
 };
 
@@ -82,11 +90,9 @@ function add(action, source, data, callback) {
     api(uuid.v4(), action, source, data, function (error, id) {
         if (error) return callback(error);
 
-        notifications.onEvent(id, action, source, data, function (error) {
-            if (error) return callback(error);
+        callback(null, { id: id });
 
-            callback(null, { id: id });
-        });
+        notifications.onEvent(id, action, source, data, NOOP_CALLBACK);
     });
 }
 

src/externalldap.js

@@ -301,7 +301,7 @@ function sync(progressCallback, callback) {
                     } else if (result.email !== user.email || result.displayName !== user.displayName) {
                         debug(`[updating user] username=${user.username} email=${user.email} displayName=${user.displayName}`);
 
-                        users.update(result.id, { email: user.email, fallbackEmail: user.email, displayName: user.displayName }, auditSource.EXTERNAL_LDAP_TASK, function (error) {
+                        users.update(result, { email: user.email, fallbackEmail: user.email, displayName: user.displayName }, auditSource.EXTERNAL_LDAP_TASK, function (error) {
                             if (error) debug('Failed to update user', user, error);
 
                             iteratorCallback();

src/infra_version.js

@@ -9,18 +9,19 @@ exports = module.exports = {
     'version': '48.17.0',
 
     'baseImages': [
-        { repo: 'cloudron/base', tag: 'cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617' }
+        { repo: 'cloudron/base', tag: 'cloudron/base:2.0.0@sha256:f9fea80513aa7c92fe2e7bf3978b54c8ac5222f47a9a32a7f8833edf0eb5a4f4' }
     ],
 
     // a major version bump in the db containers will trigger the restore logic that uses the db dumps
     // docker inspect --format='{{index .RepoDigests 0}}' $IMAGE to get the sha256
     'images': {
-        'mysql': { repo: 'cloudron/mysql', tag: 'cloudron/mysql:2.0.2@sha256:a28320f313785816be60e3f865e09065504170a3d20ed37de675c719b32b01eb' },
-        'postgresql': { repo: 'cloudron/postgresql', tag: 'cloudron/postgresql:2.0.2@sha256:6dcee0731dfb9b013ed94d56205eee219040ee806c7e251db3b3886eaa4947ff' },
-        'mongodb': { repo: 'cloudron/mongodb', tag: 'cloudron/mongodb:2.1.0@sha256:6d1bf221cfe6124957e2c58b57c0a47214353496009296acb16adf56df1da9d5' },
-        'redis': { repo: 'cloudron/redis', tag: 'cloudron/redis:2.1.0@sha256:f2cda21bd15c21bbf44432df412525369ef831a2d53860b5c5b1675e6f384de2' },
-        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:2.5.0@sha256:086ae1c9433d90a820326aa43914a2afe94ad707074ef2bc05a7ef4798e83655' },
-        'graphite': { repo: 'cloudron/graphite', tag: 'cloudron/graphite:2.2.0@sha256:fc9ca69d16e6ebdbd98ed53143d4a0d2212eef60cb638dc71219234e6f427a2c' },
-        'sftp': { repo: 'cloudron/sftp', tag: 'cloudron/sftp:0.1.0@sha256:e177c5bf5f38c84ce1dea35649c22a1b05f96eec67a54a812c5a35e585670f0f' }
+        'turn': { repo: 'cloudron/turn', tag: 'cloudron/turn:1.1.0@sha256:e1dd22aa6eef5beb7339834b200a8bb787ffc2264ce11139857a054108fefb4f' },
+        'mysql': { repo: 'cloudron/mysql', tag: 'cloudron/mysql:2.3.0@sha256:0cc39004b80eb5ee570b9fd4f38859410a49692e93e0f0d8b104b0b524d7030a' },
+        'postgresql': { repo: 'cloudron/postgresql', tag: 'cloudron/postgresql:2.1.1@sha256:6ea1bcf9b655d628230acda01d46cf21883b112111d89583c94138646895c14c' },
+        'mongodb': { repo: 'cloudron/mongodb', tag: 'cloudron/mongodb:2.2.0@sha256:205486ff0f6bf6854610572df401cf3651bc62baf28fd26e9c5632497f10c2cb' },
+        'redis': { repo: 'cloudron/redis', tag: 'cloudron/redis:2.2.0@sha256:cfdcc1a54cf29818cac99eacedc2ecf04e44995be3d06beea11dcaa09d90ed8d' },
+        'mail': { repo: 'cloudron/mail', tag: 'cloudron/mail:2.9.2@sha256:d71d7fa5be9a578aef5f24aceaa0d6fe59ef1e8d2858263669ddf58703d1a963' },
+        'graphite': { repo: 'cloudron/graphite', tag: 'cloudron/graphite:2.3.0@sha256:b7bc1ca4f4d0603a01369a689129aa273a938ce195fe43d00d42f4f2d5212f50' },
+        'sftp': { repo: 'cloudron/sftp', tag: 'cloudron/sftp:1.1.0@sha256:0c1fe4dd6121900624dcb383251ecb0084c3810e095064933de671409d8d6d7b' }
     }
 };

src/janitor.js

@@ -2,7 +2,6 @@
 
 var assert = require('assert'),
     async = require('async'),
-    authcodedb = require('./authcodedb.js'),
     BoxError = require('./boxerror.js'),
     debug = require('debug')('box:janitor'),
     Docker = require('dockerode'),
@@ -39,26 +38,13 @@ function cleanupExpiredTokens(callback) {
     });
 }
 
-function cleanupExpiredAuthCodes(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    authcodedb.delExpired(function (error, result) {
-        if (error) return callback(error);
-
-        debug('Cleaned up %s expired authcodes.', result);
-
-        callback(null);
-    });
-}
-
 function cleanupTokens(callback) {
     assert(!callback || typeof callback === 'function'); // callback is null when called from cronjob
 
     debug('Cleaning up expired tokens');
 
     async.series([
-        ignoreError(cleanupExpiredTokens),
-        ignoreError(cleanupExpiredAuthCodes)
+        ignoreError(cleanupExpiredTokens)
     ], callback);
 }
 

src/ldap.js

@@ -126,16 +126,16 @@ function userSearch(req, res, next) {
         var results = [];
 
         // send user objects
-        result.forEach(function (entry) {
+        result.forEach(function (user) {
             // skip entries with empty username. Some apps like owncloud can't deal with this
-            if (!entry.username) return;
+            if (!user.username) return;
 
-            var dn = ldap.parseDN('cn=' + entry.id + ',ou=users,dc=cloudron');
+            var dn = ldap.parseDN('cn=' + user.id + ',ou=users,dc=cloudron');
 
             var groups = [ GROUP_USERS_DN ];
-            if (entry.admin) groups.push(GROUP_ADMINS_DN);
+            if (users.compareRoles(user.role, users.ROLE_ADMIN) >= 0) groups.push(GROUP_ADMINS_DN);
 
-            var displayName = entry.displayName || entry.username || ''; // displayName can be empty and username can be null
+            var displayName = user.displayName || user.username || ''; // displayName can be empty and username can be null
             var nameParts = displayName.split(' ');
             var firstName = nameParts[0];
             var lastName = nameParts.length > 1  ? nameParts[nameParts.length - 1] : ''; // choose last part, if it exists
@@ -143,17 +143,17 @@ function userSearch(req, res, next) {
             var obj = {
                 dn: dn.toString(),
                 attributes: {
-                    objectclass: ['user'],
+                    objectclass: ['user', 'inetorgperson', 'person' ],
                     objectcategory: 'person',
-                    cn: entry.id,
-                    uid: entry.id,
-                    mail: entry.email,
-                    mailAlternateAddress: entry.fallbackEmail,
+                    cn: user.id,
+                    uid: user.id,
+                    entryuuid: user.id, // to support OpenLDAP clients
+                    mail: user.email,
+                    mailAlternateAddress: user.fallbackEmail,
                     displayname: displayName,
                     givenName: firstName,
-                    username: entry.username,
-                    samaccountname: entry.username,      // to support ActiveDirectory clients
-                    isadmin: entry.admin,
+                    username: user.username,
+                    samaccountname: user.username,      // to support ActiveDirectory clients
                     memberof: groups
                 }
             };
@@ -193,7 +193,7 @@ function groupSearch(req, res, next) {
 
         groups.forEach(function (group) {
             var dn = ldap.parseDN('cn=' + group.name + ',ou=groups,dc=cloudron');
-            var members = group.admin ? result.filter(function (entry) { return entry.admin; }) : result;
+            var members = group.admin ? result.filter(function (user) { return users.compareRoles(user.role, users.ROLE_ADMIN) >= 0; }) : result;
 
             var obj = {
                 dn: dn.toString(),
@@ -241,8 +241,8 @@ function groupAdminsCompare(req, res, next) {
 
         // we only support memberuid here, if we add new group attributes later add them here
         if (req.attribute === 'memberuid') {
-            var found = result.find(function (u) { return u.id === req.value; });
-            if (found && found.admin) return res.end(true);
+            var user = result.find(function (u) { return u.id === req.value; });
+            if (user && users.compareRoles(user.role, users.ROLE_ADMIN) >= 0) return res.end(true);
         }
 
         res.end(false);
@@ -283,10 +283,11 @@ function mailboxSearch(req, res, next) {
                 res.end();
             }
         });
-    } else if (req.dn.rdns[0].attrs.domain) {
+    } else if (req.dn.rdns[0].attrs.domain) { // legacy ldap mailbox search for old sogo
         var domain = req.dn.rdns[0].attrs.domain.value.toLowerCase();
 
         mailboxdb.listMailboxes(domain, 1, 1000, function (error, result) {
+
             if (error) return next(new ldap.OperationsError(error.toString()));
 
             var results = [];
@@ -309,7 +310,6 @@ function mailboxSearch(req, res, next) {
                 // ensure all filter values are also lowercase
                 var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
                 if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
-
                 if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
                     results.push(obj);
                 }
@@ -317,8 +317,55 @@ function mailboxSearch(req, res, next) {
 
             finalSend(results, req, res, next);
         });
-    } else {
-        return next(new ldap.NoSuchObjectError(req.dn.toString()));
+    } else { // new sogo
+        mailboxdb.listAllMailboxes(1, 1000, function (error, mailboxes) {
+            if (error) return next(new ldap.OperationsError(error.toString()));
+
+            var results = [];
+
+            // send mailbox objects
+            async.eachSeries(mailboxes, function (mailbox, callback) {
+                var dn = ldap.parseDN(`cn=${mailbox.name}@${mailbox.domain},ou=mailboxes,dc=cloudron`);
+
+                users.get(mailbox.ownerId, function (error, userObject) {
+                    if (error) return callback(); // skip mailboxes with unknown owner
+
+                    var obj = {
+                        dn: dn.toString(),
+                        attributes: {
+                            objectclass: ['mailbox'],
+                            objectcategory: 'mailbox',
+                            displayname: userObject.displayName,
+                            cn: `${mailbox.name}@${mailbox.domain}`,
+                            uid: `${mailbox.name}@${mailbox.domain}`,
+                            mail: `${mailbox.name}@${mailbox.domain}`
+                        }
+                    };
+
+                    mailboxdb.getAliasesForName(mailbox.name, mailbox.domain, function (error, aliases) {
+                        if (error) return callback(error);
+
+                        aliases.forEach(function (a, idx) {
+                            obj.attributes['mail' + idx] = `${a}@${mailbox.domain}`;
+                        });
+
+                        // ensure all filter values are also lowercase
+                        var lowerCaseFilter = safe(function () { return ldap.parseFilter(req.filter.toString().toLowerCase()); }, null);
+                        if (!lowerCaseFilter) return next(new ldap.OperationsError(safe.error.toString()));
+
+                        if ((req.dn.equals(dn) || req.dn.parentOf(dn)) && lowerCaseFilter.matches(obj.attributes)) {
+                            results.push(obj);
+                        }
+
+                        callback();
+                    });
+                });
+            }, function (error) {
+                if (error) return next(new ldap.OperationsError(error.toString()));
+
+                finalSend(results, req, res, next);
+            });
+        });
     }
 }
 
@@ -344,7 +391,7 @@ function mailAliasSearch(req, res, next) {
                 objectclass: ['nisMailAlias'],
                 objectcategory: 'nisMailAlias',
                 cn: `${alias.name}@${alias.domain}`,
-                rfc822MailMember: `${alias.aliasTarget}@${alias.domain}`
+                rfc822MailMember: `${alias.aliasName}@${alias.aliasDomain}`
             }
         };
 
@@ -370,7 +417,7 @@ function mailingListSearch(req, res, next) {
     if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
     const name = parts[0], domain = parts[1];
 
-    mail.resolveList(parts[0], parts[1], function (error, resolvedMembers) {
+    mail.resolveList(parts[0], parts[1], function (error, resolvedMembers, list) {
         if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
         if (error) return next(new ldap.OperationsError(error.toString()));
 
@@ -383,6 +430,7 @@ function mailingListSearch(req, res, next) {
                 objectcategory: 'mailGroup',
                 cn: `${name}@${domain}`, // fully qualified
                 mail: `${name}@${domain}`,
+                membersOnly: list.membersOnly, // ldapjs only supports strings and string array. so this is not a bool!
                 mgrpRFC822MailMember: resolvedMembers // fully qualified
             }
         };
@@ -419,7 +467,7 @@ function authenticateUser(req, res, next) {
         api = users.verifyWithUsername;
     }
 
-    api(commonName, req.credentials || '', function (error, user) {
+    api(commonName, req.credentials || '', req.app.id, function (error, user) {
         if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
         if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
         if (error) return next(new ldap.OperationsError(error.message));
@@ -465,7 +513,7 @@ function authenticateUserMailbox(req, res, next) {
             if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
             if (error) return next(new ldap.OperationsError(error.message));
 
-            users.verify(mailbox.ownerId, req.credentials || '', function (error, result) {
+            users.verify(mailbox.ownerId, req.credentials || '', users.AP_MAIL, function (error, result) {
                 if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
                 if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
                 if (error) return next(new ldap.OperationsError(error.message));
@@ -486,13 +534,16 @@ function authenticateSftp(req, res, next) {
     var parts = email.split('@');
     if (parts.length !== 2) return next(new ldap.NoSuchObjectError(req.dn.toString()));
 
-    // actual user bind
-    users.verifyWithUsername(parts[0], req.credentials, function (error) {
+    apps.getByFqdn(parts[1], function (error, app) {
         if (error) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
 
-        debug('sftp auth: success');
+        users.verifyWithUsername(parts[0], req.credentials, app.id, function (error) {
+            if (error) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
 
-        res.end();
+            debug('sftp auth: success');
+
+            res.end();
+        });
     });
 }
 
@@ -567,16 +618,13 @@ function authenticateMailAddon(req, res, next) {
         // note: with sendmail addon, apps can send mail without a mailbox (unlike users)
         appdb.getAppIdByAddonConfigValue(addonId, namePattern, req.credentials || '', function (error, appId) {
             if (error && error.reason !== BoxError.NOT_FOUND) return next(new ldap.OperationsError(error.message));
-            if (appId) { // matched app password
-                eventlog.add(eventlog.ACTION_APP_LOGIN, { authType: 'ldap', mailboxId: email }, { appId: appId, addonId: addonId });
-                return res.end();
-            }
+            if (appId) return res.end();
 
             mailboxdb.getMailbox(parts[0], parts[1], function (error, mailbox) {
                 if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
                 if (error) return next(new ldap.OperationsError(error.message));
 
-                users.verify(mailbox.ownerId, req.credentials || '', function (error, result) {
+                users.verify(mailbox.ownerId, req.credentials || '', users.AP_MAIL, function (error, result) {
                     if (error && error.reason === BoxError.NOT_FOUND) return next(new ldap.NoSuchObjectError(req.dn.toString()));
                     if (error && error.reason === BoxError.INVALID_CREDENTIALS) return next(new ldap.InvalidCredentialsError(req.dn.toString()));
                     if (error) return next(new ldap.OperationsError(error.message));

src/logrotate.ejs

@@ -8,6 +8,7 @@
     maxsize 1M
     missingok
     delaycompress
+    # this truncates the original log file and not the rotated one
     copytruncate
 }
 
@@ -18,6 +19,7 @@
     missingok
     # we never compress so we can simply tail the files
     nocompress
+    # this truncates the original log file and not the rotated one
     copytruncate
 }
 

src/mail.js

@@ -7,10 +7,11 @@ exports = module.exports = {
     getDomains: getDomains,
 
     getDomain: getDomain,
-    addDomain: addDomain,
-    removeDomain: removeDomain,
     clearDomains: clearDomains,
 
+    onDomainAdded: onDomainAdded,
+    onDomainRemoved: onDomainRemoved,
+
     removePrivateFields: removePrivateFields,
 
     setDnsRecords: setDnsRecords,
@@ -37,7 +38,6 @@ exports = module.exports = {
     updateMailboxOwner: updateMailboxOwner,
     removeMailbox: removeMailbox,
 
-    listAliases: listAliases,
     getAliases: getAliases,
     setAliases: setAliases,
 
@@ -101,7 +101,6 @@ function checkOutboundPort25(callback) {
         'smtp.gmail.com',
         'smtp.live.com',
         'smtp.mail.yahoo.com',
-        'smtp.comcast.net',
         'smtp.1und1.de',
     ]);
 
@@ -199,7 +198,7 @@ function checkDkim(mailDomain, callback) {
     };
 
     var dkimKey = readDkimPublicKeySync(domain);
-    if (!dkimKey) return callback(new BoxError(BoxError.FS_ERROR, `Failed to read dkim public key of ${domain}`));
+    if (!dkimKey) return callback(new BoxError(BoxError.FS_ERROR, `Failed to read dkim public key of ${domain}`), dkim);
 
     dkim.expected = 'v=DKIM1; t=s; p=' + dkimKey;
 
@@ -208,7 +207,8 @@ function checkDkim(mailDomain, callback) {
 
         if (txtRecords.length !== 0) {
             dkim.value = txtRecords[0].join('');
-            dkim.status = (dkim.value === dkim.expected);
+            const actual = txtToDict(dkim.value);
+            dkim.status = actual.p === dkimKey;
         }
 
         callback(null, dkim);
@@ -269,7 +269,7 @@ function checkMx(domain, mailFqdn, callback) {
         if (error) return callback(error, mx);
         if (mxRecords.length === 0) return callback(null, mx);
 
-        mx.status = mxRecords.length == 1 && mxRecords[0].exchange === mailFqdn;
+        mx.status = mxRecords.some(mx => mx.exchange === mailFqdn); // this lets use change priority and/or setup backup MX
         mx.value = mxRecords.map(function (r) { return r.priority + ' ' + r.exchange + '.'; }).join(' ');
 
         if (mx.status) return callback(null, mx); // MX record is "my."
@@ -313,9 +313,8 @@ function checkDmarc(domain, callback) {
 
         if (txtRecords.length !== 0) {
             dmarc.value = txtRecords[0].join('');
-            // allow extra fields in dmarc like rua
-            const actual = txtToDict(dmarc.value), expected = txtToDict(dmarc.expected);
-            dmarc.status = Object.keys(expected).every(k => expected[k] === actual[k]);
+            const actual = txtToDict(dmarc.value);
+            dmarc.status = actual.v === 'DMARC1'; // see box#666
         }
 
         callback(null, dmarc);
@@ -456,7 +455,7 @@ function getStatus(domain, callback) {
 
     // ensure we always have a valid toplevel properties for the api
     var results = {
-        dns: {}, // { mx/dmar/dkim/spf/ptr: { expected, value, name, domain, type } }
+        dns: {}, // { mx/dmarc/dkim/spf/ptr: { expected, value, name, domain, type, status } }
         rbl: {}, // { status, ip, servers: [{name,site,dns}]} optional. only for cloudron-smtp
         relay: {} // { status, value } always checked
     };
@@ -466,7 +465,7 @@ function getStatus(domain, callback) {
             func(function (error, result) {
                 if (error) debug('Ignored error - ' + what + ':', error);
 
-                safe.set(results, what, result);
+                safe.set(results, what, result || {});
 
                 callback();
             });
@@ -654,7 +653,6 @@ function configureMail(mailFqdn, mailDomain, callback) {
                             -v "${paths.MAIL_DATA_DIR}:/app/data" \
                             -v "${paths.PLATFORM_DATA_DIR}/addons/mail:/etc/mail" \
                             ${ports} \
-                            -p 127.0.0.1:2020:2020 \
                             --label isCloudronManaged=true \
                             --read-only -v /run -v /tmp ${tag}`;
 
@@ -800,6 +798,7 @@ function ensureDkimKeySync(mailDomain) {
         return new BoxError(BoxError.FS_ERROR, safe.error);
     }
 
+    // https://www.unlocktheinbox.com/dkim-key-length-statistics/ and https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-authentication-dkim-easy.html for key size
     if (!safe.child_process.execSync('openssl genrsa -out ' + dkimPrivateKeyFile + ' 1024')) return new BoxError(BoxError.OPENSSL_ERROR, safe.error);
     if (!safe.child_process.execSync('openssl rsa -in ' + dkimPrivateKeyFile + ' -out ' + dkimPublicKeyFile + ' -pubout -outform PEM')) return new BoxError(BoxError.OPENSSL_ERROR, safe.error);
 
@@ -907,37 +906,21 @@ function onMailFqdnChanged(callback) {
     });
 }
 
-function addDomain(domain, callback) {
+function onDomainAdded(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    const dkimSelector = domain === settings.adminDomain() ? 'cloudron' : ('cloudron-' + settings.adminDomain().replace(/\./g, ''));
-
-    maildb.add(domain, { dkimSelector }, function (error) {
-        if (error) return callback(error);
-
-        async.series([
-            upsertDnsRecords.bind(null, domain, settings.mailFqdn()), // do this first to ensure DKIM keys
-            restartMailIfActivated
-        ], NOOP_CALLBACK); // do these asynchronously
-
-        callback();
-    });
+    async.series([
+        upsertDnsRecords.bind(null, domain, settings.mailFqdn()), // do this first to ensure DKIM keys
+        restartMailIfActivated
+    ], callback);
 }
 
-function removeDomain(domain, callback) {
+function onDomainRemoved(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (domain === settings.adminDomain()) return callback(new BoxError(BoxError.CONFLICT));
-
-    maildb.del(domain, function (error) {
-        if (error) return callback(error);
-
-        restartMail(NOOP_CALLBACK);
-
-        callback();
-    });
+    restartMail(callback);
 }
 
 function clearDomains(callback) {
@@ -1106,18 +1089,25 @@ function addMailbox(name, domain, userId, auditSource, callback) {
     });
 }
 
-function updateMailboxOwner(name, domain, userId, callback) {
+function updateMailboxOwner(name, domain, userId, auditSource, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof userId, 'string');
+    assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     name = name.toLowerCase();
 
-    mailboxdb.updateMailboxOwner(name, domain, userId, function (error) {
+    getMailbox(name, domain, function (error, result) {
         if (error) return callback(error);
 
-        callback(null);
+        mailboxdb.updateMailboxOwner(name, domain, userId, function (error) {
+            if (error) return callback(error);
+
+            eventlog.add(eventlog.ACTION_MAIL_MAILBOX_UPDATE, auditSource, { name, domain, oldUserId: result.userId, userId });
+
+            callback(null);
+        });
     });
 }
 
@@ -1136,19 +1126,6 @@ function removeMailbox(name, domain, auditSource, callback) {
     });
 }
 
-function listAliases(domain, page, perPage, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof page, 'number');
-    assert.strictEqual(typeof perPage, 'number');
-    assert.strictEqual(typeof callback, 'function');
-
-    mailboxdb.listAliases(domain, page, perPage, function (error, result) {
-        if (error) return callback(error);
-
-        callback(null, result);
-    });
-}
-
 function getAliases(name, domain, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof domain, 'string');
@@ -1172,12 +1149,15 @@ function setAliases(name, domain, aliases, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     for (var i = 0; i < aliases.length; i++) {
-        aliases[i] = aliases[i].toLowerCase();
+        let name = aliases[i].name.toLowerCase();
+        let domain = aliases[i].domain.toLowerCase();
 
-        var error = validateName(aliases[i]);
+        let error = validateName(name);
         if (error) return callback(error);
-    }
 
+        if (!validator.isEmail(`${name}@${domain}`)) return callback(new BoxError(BoxError.BAD_FIELD, `Invalid email: ${name}@${domain}`));
+        aliases[i] = { name, domain };
+    }
     mailboxdb.setAliasesForName(name, domain, aliases, function (error) {
         if (error) return callback(error);
 
@@ -1196,22 +1176,23 @@ function getLists(domain, callback) {
     });
 }
 
-function getList(domain, listName, callback) {
+function getList(name, domain, callback) {
+    assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof listName, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    mailboxdb.getList(listName, domain, function (error, result) {
+    mailboxdb.getList(name, domain, function (error, result) {
         if (error) return callback(error);
 
         callback(null, result);
     });
 }
 
-function addList(name, domain, members, auditSource, callback) {
+function addList(name, domain, members, membersOnly, auditSource, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof name, 'string');
     assert(Array.isArray(members));
+    assert.strictEqual(typeof membersOnly, 'boolean');
     assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
@@ -1224,19 +1205,21 @@ function addList(name, domain, members, auditSource, callback) {
         if (!validator.isEmail(members[i])) return callback(new BoxError(BoxError.BAD_FIELD, 'Invalid mail member: ' + members[i]));
     }
 
-    mailboxdb.addList(name, domain, members, function (error) {
+    mailboxdb.addList(name, domain, members, membersOnly, function (error) {
         if (error) return callback(error);
 
-        eventlog.add(eventlog.ACTION_MAIL_LIST_ADD, auditSource, { name, domain });
+        eventlog.add(eventlog.ACTION_MAIL_LIST_ADD, auditSource, { name, domain, members, membersOnly });
 
         callback();
     });
 }
 
-function updateList(name, domain, members, callback) {
+function updateList(name, domain, members, membersOnly, auditSource, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert(Array.isArray(members));
+    assert.strictEqual(typeof membersOnly, 'boolean');
+    assert.strictEqual(typeof auditSource, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     name = name.toLowerCase();
@@ -1248,10 +1231,16 @@ function updateList(name, domain, members, callback) {
         if (!validator.isEmail(members[i])) return callback(new BoxError(BoxError.BAD_FIELD, 'Invalid email: ' + members[i]));
     }
 
-    mailboxdb.updateList(name, domain, members, function (error) {
+    getList(name, domain, function (error, result) {
         if (error) return callback(error);
 
-        callback(null);
+        mailboxdb.updateList(name, domain, members, membersOnly, function (error) {
+            if (error) return callback(error);
+
+            eventlog.add(eventlog.ACTION_MAIL_MAILBOX_UPDATE, auditSource, { name, domain, oldMembers: result.members, members, membersOnly });
+
+            callback(null);
+        });
     });
 }
 
@@ -1264,12 +1253,13 @@ function removeList(name, domain, auditSource, callback) {
     mailboxdb.del(name, domain, function (error) {
         if (error) return callback(error);
 
-        eventlog.add(eventlog.ACTION_MAIL_LIST_ADD, auditSource, { name, domain });
+        eventlog.add(eventlog.ACTION_MAIL_LIST_REMOVE, auditSource, { name, domain });
 
         callback();
     });
 }
 
+// resolves the members of a list. i.e the lists and aliases
 function resolveList(listName, listDomain, callback) {
     assert.strictEqual(typeof listName, 'string');
     assert.strictEqual(typeof listDomain, 'string');
@@ -1300,18 +1290,21 @@ function resolveList(listName, listDomain, callback) {
                 visited.push(member);
 
                 mailboxdb.get(memberName, memberDomain, function (error, entry) {
-                    if (error && error.reason == BoxError.NOT_FOUND) { result.push(member); return iteratorCallback(); }
+                    if (error && error.reason == BoxError.NOT_FOUND) { result.push(member); return iteratorCallback(); } // let it bounce
                     if (error) return iteratorCallback(error);
 
-                    if (entry.type === mailboxdb.TYPE_MAILBOX) { result.push(member); return iteratorCallback(); }
-                    // no need to resolve alias because we only allow one level and within same domain
-                    if (entry.type === mailboxdb.TYPE_ALIAS) { result.push(`${entry.aliasTarget}@${entry.domain}`); return iteratorCallback(); }
+                    if (entry.type === mailboxdb.TYPE_MAILBOX) { // concrete mailbox
+                        result.push(member);
+                    } else if (entry.type === mailboxdb.TYPE_ALIAS) { // resolve aliases
+                        toResolve = toResolve.concat(`${entry.aliasName}@${entry.aliasTarget}`);
+                    } else { // resolve list members
+                        toResolve = toResolve.concat(entry.members);
+                    }
 
-                    toResolve = toResolve.concat(entry.members);
                     iteratorCallback();
                 });
             }, function (error) {
-                callback(error, result);
+                callback(error, result, list);
             });
         });
     });

src/mail_templates/welcome_user.ejs

@@ -5,7 +5,7 @@ Dear <%= user.displayName || user.username || user.email %>,
 Welcome to <%= cloudronName %>!
 
 Follow the link to get started.
-<%- setupLink %>
+<%- inviteLink %>
 
 <% if (invitor && invitor.email) { %>
 You are receiving this email because you were invited by <%= invitor.email %>.
@@ -25,7 +25,7 @@ Powered by https://cloudron.io
 <h2>Welcome to <%= cloudronName %>!</h2>
 
 <p>
-    <a href="<%= setupLink %>">Get started</a>.
+    <a href="<%= inviteLink %>">Get started</a>.
 </p>
 
 <br/>

src/mailboxdb.js

@@ -8,10 +8,11 @@ exports = module.exports = {
     updateList: updateList,
     del: del,
 
-    listAliases: listAliases,
     listMailboxes: listMailboxes,
     getLists: getLists,
 
+    listAllMailboxes: listAllMailboxes,
+
     get: get,
     getMailbox: getMailbox,
     getList: getList,
@@ -39,12 +40,14 @@ var assert = require('assert'),
     safe = require('safetydance'),
     util = require('util');
 
-var MAILBOX_FIELDS = [ 'name', 'type', 'ownerId', 'aliasTarget', 'creationTime', 'membersJson', 'domain' ].join(',');
+var MAILBOX_FIELDS = [ 'name', 'type', 'ownerId', 'aliasName', 'aliasDomain', 'creationTime', 'membersJson', 'membersOnly', 'domain' ].join(',');
 
 function postProcess(data) {
     data.members = safe.JSON.parse(data.membersJson) || [ ];
     delete data.membersJson;
 
+    data.membersOnly = !!data.membersOnly;
+
     return data;
 }
 
@@ -76,14 +79,15 @@ function updateMailboxOwner(name, domain, ownerId, callback) {
     });
 }
 
-function addList(name, domain, members, callback) {
+function addList(name, domain, members, membersOnly, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert(Array.isArray(members));
+    assert.strictEqual(typeof membersOnly, 'boolean');
     assert.strictEqual(typeof callback, 'function');
 
-    database.query('INSERT INTO mailboxes (name, type, domain, ownerId, membersJson) VALUES (?, ?, ?, ?, ?)',
-        [ name, exports.TYPE_LIST, domain, 'admin', JSON.stringify(members) ], function (error) {
+    database.query('INSERT INTO mailboxes (name, type, domain, ownerId, membersJson, membersOnly) VALUES (?, ?, ?, ?, ?, ?)',
+        [ name, exports.TYPE_LIST, domain, 'admin', JSON.stringify(members), membersOnly ], function (error) {
             if (error && error.code === 'ER_DUP_ENTRY') return callback(new BoxError(BoxError.ALREADY_EXISTS, 'mailbox already exists'));
             if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
 
@@ -91,14 +95,15 @@ function addList(name, domain, members, callback) {
         });
 }
 
-function updateList(name, domain, members, callback) {
+function updateList(name, domain, members, membersOnly, callback) {
     assert.strictEqual(typeof name, 'string');
     assert.strictEqual(typeof domain, 'string');
     assert(Array.isArray(members));
+    assert.strictEqual(typeof membersOnly, 'boolean');
     assert.strictEqual(typeof callback, 'function');
 
-    database.query('UPDATE mailboxes SET membersJson = ? WHERE name = ? AND domain = ?',
-        [ JSON.stringify(members), name, domain ], function (error, result) {
+    database.query('UPDATE mailboxes SET membersJson = ?, membersOnly = ? WHERE name = ? AND domain = ?',
+        [ JSON.stringify(members), membersOnly, name, domain ], function (error, result) {
             if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
             if (result.affectedRows === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'Mailbox not found'));
 
@@ -121,7 +126,7 @@ function del(name, domain, callback) {
     assert.strictEqual(typeof callback, 'function');
 
     // deletes aliases as well
-    database.query('DELETE FROM mailboxes WHERE (name=? OR aliasTarget = ?) AND domain = ?', [ name, name, domain ], function (error, result) {
+    database.query('DELETE FROM mailboxes WHERE ((name=? AND domain=?) OR (aliasName = ? AND aliasDomain=?))', [ name, domain, name, domain ], function (error, result) {
         if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
         if (result.affectedRows === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'Mailbox not found'));
 
@@ -214,6 +219,21 @@ function listMailboxes(domain, page, perPage, callback) {
         });
 }
 
+function listAllMailboxes(page, perPage, callback) {
+    assert.strictEqual(typeof page, 'number');
+    assert.strictEqual(typeof perPage, 'number');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query(`SELECT ${MAILBOX_FIELDS} FROM mailboxes WHERE type = ? ORDER BY name LIMIT ${(page-1)*perPage},${perPage}`,
+        [ exports.TYPE_MAILBOX ], function (error, results) {
+            if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
+
+            results.forEach(function (result) { postProcess(result); });
+
+            callback(null, results);
+        });
+}
+
 function getLists(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
@@ -268,10 +288,10 @@ function setAliasesForName(name, domain, aliases, callback) {
 
         var queries = [];
         // clear existing aliases
-        queries.push({ query: 'DELETE FROM mailboxes WHERE aliasTarget = ? AND domain = ? AND type = ?', args: [ name, domain, exports.TYPE_ALIAS ] });
+        queries.push({ query: 'DELETE FROM mailboxes WHERE aliasName = ? AND aliasDomain = ? AND type = ?', args: [ name, domain, exports.TYPE_ALIAS ] });
         aliases.forEach(function (alias) {
-            queries.push({ query: 'INSERT INTO mailboxes (name, type, domain, aliasTarget, ownerId) VALUES (?, ?, ?, ?, ?)',
-                args: [ alias, exports.TYPE_ALIAS, domain, name, results[0].ownerId ] });
+            queries.push({ query: 'INSERT INTO mailboxes (name, domain, type, aliasName, aliasDomain, ownerId) VALUES (?, ?, ?, ?, ?, ?)',
+                args: [ alias.name, alias.domain, exports.TYPE_ALIAS, name, domain, results[0].ownerId ] });
         });
 
         database.transaction(queries, function (error) {
@@ -294,27 +314,10 @@ function getAliasesForName(name, domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    database.query('SELECT name FROM mailboxes WHERE type = ? AND aliasTarget = ? AND domain = ? ORDER BY name',
+    database.query('SELECT name, domain FROM mailboxes WHERE type = ? AND aliasName = ? AND aliasDomain = ? ORDER BY name',
         [ exports.TYPE_ALIAS, name, domain ], function (error, results) {
             if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
 
-            results = results.map(function (r) { return r.name; });
-            callback(null, results);
-        });
-}
-
-function listAliases(domain, page, perPage, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof page, 'number');
-    assert.strictEqual(typeof perPage, 'number');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query(`SELECT ${MAILBOX_FIELDS} FROM mailboxes WHERE domain = ? AND type = ? ORDER BY name LIMIT ${(page-1)*perPage},${perPage}`,
-        [ domain, exports.TYPE_ALIAS ], function (error, results) {
-            if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-            results.forEach(function (result) { postProcess(result); });
-
             callback(null, results);
         });
 }

src/maildb.js

@@ -1,8 +1,6 @@
 'use strict';
 
 exports = module.exports = {
-    add: add,
-    del: del,
     get: get,
     list: list,
     update: update,
@@ -34,20 +32,6 @@ function postProcess(data) {
     return data;
 }
 
-function add(domain, data, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof data, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    database.query('INSERT INTO mail (domain, dkimSelector) VALUES (?, ?)', [ domain, data.dkimSelector || 'cloudron' ], function (error) {
-        if (error && error.code === 'ER_DUP_ENTRY') return callback(new BoxError(BoxError.ALREADY_EXISTS, 'mail domain already exists'));
-        if (error && error.code === 'ER_NO_REFERENCED_ROW_2') return callback(new BoxError(BoxError.NOT_FOUND), 'no such domain');
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-
-        callback(null);
-    });
-}
-
 function clear(callback) {
     assert.strictEqual(typeof callback, 'function');
 
@@ -58,20 +42,6 @@ function clear(callback) {
     });
 }
 
-function del(domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    // deletes aliases as well
-    database.query('DELETE FROM mail WHERE domain=?', [ domain ], function (error, result) {
-        if (error && error.code === 'ER_ROW_IS_REFERENCED_2') return callback(new BoxError(BoxError.CONFLICT));
-        if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
-        if (result.affectedRows === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'Mail domain not found'));
-
-        callback(null);
-    });
-}
-
 function get(domain, callback) {
     assert.strictEqual(typeof domain, 'string');
     assert.strictEqual(typeof callback, 'function');

src/mailer.js

@@ -3,7 +3,7 @@
 exports = module.exports = {
     userAdded: userAdded,
     userRemoved: userRemoved,
-    adminChanged: adminChanged,
+    roleChanged: roleChanged,
     passwordReset: passwordReset,
     appUpdatesAvailable: appUpdatesAvailable,
 
@@ -26,7 +26,6 @@ exports = module.exports = {
 
 var assert = require('assert'),
     BoxError = require('./boxerror.js'),
-    custom = require('./custom.js'),
     debug = require('debug')('box:mailer'),
     ejs = require('ejs'),
     mail = require('./mail.js'),
@@ -47,15 +46,16 @@ function getMailConfig(callback) {
     assert.strictEqual(typeof callback, 'function');
 
     settings.getCloudronName(function (error, cloudronName) {
-        // this is not fatal
-        if (error) {
-            debug(error);
-            cloudronName = 'Cloudron';
-        }
+        if (error) debug('Error getting cloudron name: ', error);
 
-        callback(null, {
-            cloudronName: cloudronName,
-            notificationFrom: `"${cloudronName}" <no-reply@${settings.adminDomain()}>`
+        settings.getSupportConfig(function (error, supportConfig) {
+            if (error) debug('Error getting support config: ', error);
+
+            callback(null, {
+                cloudronName: cloudronName || '',
+                notificationFrom: `"${cloudronName}" <no-reply@${settings.adminDomain()}>`,
+                supportEmail: supportConfig.email
+            });
         });
     });
 }
@@ -125,9 +125,10 @@ function mailUserEvent(mailTo, user, event) {
     });
 }
 
-function sendInvite(user, invitor) {
+function sendInvite(user, invitor, inviteLink) {
     assert.strictEqual(typeof user, 'object');
-    assert(typeof invitor === 'object');
+    assert.strictEqual(typeof invitor, 'object');
+    assert.strictEqual(typeof inviteLink, 'string');
 
     debug('Sending invite mail');
 
@@ -137,7 +138,7 @@ function sendInvite(user, invitor) {
         var templateData = {
             user: user,
             webadminUrl: settings.adminOrigin(),
-            setupLink: `${settings.adminOrigin()}/api/v1/session/account/setup.html?reset_token=${user.resetToken}&email=${encodeURIComponent(user.email)}`,
+            inviteLink: inviteLink,
             invitor: invitor,
             cloudronName: mailConfig.cloudronName,
             cloudronAvatarUrl: settings.adminOrigin() + '/api/v1/cloudron/avatar'
@@ -203,14 +204,13 @@ function userRemoved(mailTo, user) {
     mailUserEvent(mailTo, user, 'was removed');
 }
 
-function adminChanged(mailTo, user, isAdmin) {
+function roleChanged(mailTo, user) {
     assert.strictEqual(typeof mailTo, 'string');
     assert.strictEqual(typeof user, 'object');
-    assert.strictEqual(typeof isAdmin, 'boolean');
 
-    debug('Sending mail for adminChanged');
+    debug('Sending mail for roleChanged');
 
-    mailUserEvent(mailTo, user, isAdmin ? 'is now an admin' : 'is no more an admin');
+    mailUserEvent(mailTo, user, `now has the role '${user.role}'`);
 }
 
 function passwordReset(user) {
@@ -223,7 +223,7 @@ function passwordReset(user) {
 
         var templateData = {
             user: user,
-            resetLink: `${settings.adminOrigin()}/api/v1/session/password/reset.html?reset_token=${user.resetToken}&email=${encodeURIComponent(user.email)}`,
+            resetLink: `${settings.adminOrigin()}/login.html?resetToken=${user.resetToken}`,
             cloudronName: mailConfig.cloudronName,
             cloudronAvatarUrl: settings.adminOrigin() + '/api/v1/cloudron/avatar'
         };
@@ -279,7 +279,7 @@ function appDied(mailTo, app) {
             from: mailConfig.notificationFrom,
             to: mailTo,
             subject: util.format('[%s] App %s is down', mailConfig.cloudronName, app.fqdn),
-            text: render('app_down.ejs', { title: app.manifest.title, appFqdn: app.fqdn, supportEmail: custom.spec().support.email, format: 'text' })
+            text: render('app_down.ejs', { title: app.manifest.title, appFqdn: app.fqdn, supportEmail: mailConfig.supportEmail, format: 'text' })
         };
 
         sendMail(mailOptions);

src/middleware/index.js

@@ -1,15 +1,12 @@
 'use strict';
 
 exports = module.exports = {
-    cookieParser: require('cookie-parser'),
     cors: require('./cors'),
-    csrf: require('csurf'),
     json: require('body-parser').json,
     morgan: require('morgan'),
     proxy: require('proxy-middleware'),
     lastMile: require('connect-lastmile'),
     multipart: require('./multipart.js'),
-    session: require('express-session'),
     timeout: require('connect-timeout'),
     urlencoded: require('body-parser').urlencoded
 };

src/nginxconfig.ejs

@@ -58,17 +58,16 @@ server {
     ssl_certificate      <%= certFilePath %>;
     ssl_certificate_key  <%= keyFilePath %>;
     ssl_session_timeout  5m;
-    ssl_session_cache shared:SSL:50m;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
 
-    # https://bettercrypto.org/static/applied-crypto-hardening.pdf
-    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
-    # https://cipherli.st/
     # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-    ssl_prefer_server_ciphers on;
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
+    # https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#25-use-forward-secrecy
+    # ciphers according to https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1&guideline=5.4
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;
+    ssl_prefer_server_ciphers off;
 
-    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
-    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
     ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
     add_header Strict-Transport-Security "max-age=15768000";
 
@@ -108,7 +107,9 @@ server {
 <% } -%>
 
     proxy_http_version 1.1;
+    # intercept errors (>= 400) and use the error_page handler
     proxy_intercept_errors on;
+    # nginx will return 504 on connect/timeout errors
     proxy_read_timeout       3500;
     proxy_connect_timeout    3250;
 
@@ -125,11 +126,32 @@ server {
 
     # only serve up the status page if we get proxy gateway errors
     root <%= sourceDir %>/dashboard/dist;
-    error_page 502 503 504 /appstatus.html;
-    location /appstatus.html {
+    # some apps use 503 to indicate updating or maintenance
+    error_page 502 504 /app_error_page;
+    location /app_error_page {
+        root /home/yellowtent/boxdata;
+        # the first argument looks for file under the root
+        try_files /custom_pages/$request_uri /custom_pages/app_not_responding.html /appstatus.html;
+        # internal means this is for internal routing and cannot be accessed as URL from browser
         internal;
     }
 
+    location @wellknown-upstream {
+<% if ( endpoint === 'admin' ) { %>
+        proxy_pass http://127.0.0.1:3000;
+<% } else if ( endpoint === 'app' ) { %>
+        proxy_pass http://127.0.0.1:<%= port %>;
+<% } else if ( endpoint === 'redirect' ) { %>
+        return 302 https://<%= redirectTo %>$request_uri;
+<% } %>
+    }
+
+    # user defined .well-known resources
+    location ~ ^/.well-known/(.*)$ {
+        root /home/yellowtent/boxdata/well-known/$host;
+        try_files /$1 @wellknown-upstream;
+    }
+
     location / {
         # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers)
         proxy_buffer_size       128k;

src/notifications.js

@@ -25,7 +25,6 @@ let assert = require('assert'),
     auditSource = require('./auditsource.js'),
     BoxError = require('./boxerror.js'),
     changelog = require('./changelog.js'),
-    custom = require('./custom.js'),
     debug = require('debug')('box:notifications'),
     eventlog = require('./eventlog.js'),
     mailer = require('./mailer.js'),
@@ -100,7 +99,8 @@ function actionForAllAdmins(skippingUserIds, iterator, callback) {
     assert.strictEqual(typeof iterator, 'function');
     assert.strictEqual(typeof callback, 'function');
 
-    users.getAllAdmins(function (error, result) {
+    users.getAdmins(function (error, result) {
+        if (error && error.reason === BoxError.NOT_FOUND) return callback();
         if (error) return callback(error);
 
         // filter out users we want to skip (like the user who did the action or the user the action was performed on)
@@ -134,14 +134,14 @@ function userRemoved(performedBy, eventId, user, callback) {
     }, callback);
 }
 
-function adminChanged(performedBy, eventId, user, callback) {
+function roleChanged(performedBy, eventId, user, callback) {
     assert.strictEqual(typeof performedBy, 'string');
     assert.strictEqual(typeof user, 'object');
     assert.strictEqual(typeof callback, 'function');
 
     actionForAllAdmins([ performedBy, user.id ], function (admin, done) {
-        mailer.adminChanged(admin.email, user, user.admin);
-        add(admin.id, eventId, `User '${user.displayName} ' ${user.admin ? 'is now an admin' : 'is no more an admin'}`, `User '${user.username || user.email || user.fallbackEmail}' ${user.admin ? 'is now an admin' : 'is no more an admin'}.`, done);
+        mailer.roleChanged(admin.email, user);
+        add(admin.id, eventId, `User '${user.displayName}'s role changed`, `User '${user.username || user.email || user.fallbackEmail}' now has the role ${user.role}.`, done);
     }, callback);
 }
 
@@ -167,9 +167,6 @@ function oomEvent(eventId, app, addon, containerId, event, callback) {
         message = 'The container has been restarted automatically. Consider increasing the [memory limit](https://docs.docker.com/v17.09/edge/engine/reference/commandline/update/#update-a-containers-kernel-memory-constraints)';
     }
 
-    if (custom.spec().alerts.email) mailer.oomEvent(custom.spec().alerts.email, program, event);
-    if (!custom.spec().alerts.notifyCloudronAdmins) return callback();
-
     actionForAllAdmins([], function (admin, done) {
         mailer.oomEvent(admin.email, program, event);
 
@@ -182,9 +179,6 @@ function appUp(eventId, app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    if (custom.spec().alerts.email) mailer.appUp(custom.spec().alerts.email, app);
-    if (!custom.spec().alerts.notifyCloudronAdmins) return callback();
-
     actionForAllAdmins([], function (admin, done) {
         mailer.appUp(admin.email, app);
         add(admin.id, eventId, `App ${app.fqdn} is back online`, `The application ${app.manifest.title} installed at ${app.fqdn} is back online.`, done);
@@ -196,9 +190,6 @@ function appDied(eventId, app, callback) {
     assert.strictEqual(typeof app, 'object');
     assert.strictEqual(typeof callback, 'function');
 
-    if (custom.spec().alerts.email) mailer.appDied(custom.spec().alerts.email, app);
-    if (!custom.spec().alerts.notifyCloudronAdmins) return callback();
-
     actionForAllAdmins([], function (admin, callback) {
         mailer.appDied(admin.email, app);
         add(admin.id, eventId, `App ${app.fqdn} is down`, `The application ${app.manifest.title} installed at ${app.fqdn} is not responding.`, callback);
@@ -246,9 +237,6 @@ function boxUpdateError(eventId, errorMessage, callback) {
     assert.strictEqual(typeof errorMessage, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (custom.spec().alerts.email) mailer.boxUpdateError(custom.spec().alerts.email, errorMessage);
-    if (!custom.spec().alerts.notifyCloudronAdmins) return callback();
-
     actionForAllAdmins([], function (admin, done) {
         mailer.boxUpdateError(admin.email, errorMessage);
         add(admin.id, eventId, 'Cloudron update failed', `Failed to update Cloudron: ${errorMessage}. Update will be retried in 4 hours`, done);
@@ -261,9 +249,6 @@ function certificateRenewalError(eventId, vhost, errorMessage, callback) {
     assert.strictEqual(typeof errorMessage, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (custom.spec().alerts.email) mailer.certificateRenewalError(custom.spec().alerts.email, vhost, errorMessage);
-    if (!custom.spec().alerts.notifyCloudronAdmins) return callback();
-
     actionForAllAdmins([], function (admin, callback) {
         mailer.certificateRenewalError(admin.email, vhost, errorMessage);
         add(admin.id, eventId, `Certificate renewal of ${vhost} failed`, `Failed to new certs of ${vhost}: ${errorMessage}. Renewal will be retried in 12 hours`, callback);
@@ -276,9 +261,6 @@ function backupFailed(eventId, taskId, errorMessage, callback) {
     assert.strictEqual(typeof errorMessage, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    if (custom.spec().alerts.email) mailer.backupFailed(custom.spec().alerts.email, errorMessage, `${settings.adminOrigin()}/logs.html?taskId=${taskId}`);
-    if (!custom.spec().alerts.notifyCloudronAdmins) return callback();
-
     actionForAllAdmins([], function (admin, callback) {
         mailer.backupFailed(admin.email, errorMessage, `${settings.adminOrigin()}/logs.html?taskId=${taskId}`);
         add(admin.id, eventId, 'Backup failed', `Backup failed: ${errorMessage}. Logs are available [here](/logs.html?taskId=${taskId}). Will be retried in 4 hours`, callback);
@@ -343,8 +325,8 @@ function onEvent(id, action, source, data, callback) {
         return userRemoved(source.userId, id, data.user, callback);
 
     case eventlog.ACTION_USER_UPDATE:
-        if (!data.adminStatusChanged) return callback();
-        return adminChanged(source.userId, id, data.user, callback);
+        if (!data.roleChanged) return callback();
+        return roleChanged(source.userId, id, data.user, callback);
 
     case eventlog.ACTION_APP_OOM:
         return oomEvent(id, data.app, data.addon, data.containerId, data.event, callback);

src/oauth2views/account_setup.ejs

@@ -1,82 +0,0 @@
-<% include header %>
-
-<!-- tester -->
-
-<script>
-
-'use strict';
-
-// very basic angular app
-var app = angular.module('Application', []);
-app.controller('Controller', ['$scope', function ($scope) {
-    $scope.username = '<%= (user && user.username) ? user.username : '' %>';
-    $scope.displayName = '<%= (user && user.displayName) ? user.displayName : '' %>';
-}]);
-
-</script>
-
-<div class="layout-content">
-
-  <center>
-    <br/>
-    <h4>Hello <%= (user && user.email) ? user.email : '' %>, welcome to <%= cloudronName %>!</h4>
-    <h2>Setup your account and password</h2>
-  </center>
-
-  <div class="container" ng-app="Application" ng-controller="Controller">
-    <div class="row">
-      <div class="col-md-6 col-md-offset-3">
-        <form action="/api/v1/session/account/setup" method="post" name="setupForm" autocomplete="off" role="form" novalidate>
-          <input type="password" style="display: none;">
-          <input type="hidden" name="_csrf" value="<%= csrf %>"/>
-          <input type="hidden" name="email" value="<%= email %>"/>
-          <input type="hidden" name="resetToken" value="<%= resetToken %>"/>
-
-          <center><p class="has-error"><%= error %></p></center>
-
-<% if (user && user.username) { %>
-          <div class="form-group"">
-            <label class="control-label">Username</label>
-            <input type="text" class="form-control" ng-model="username" name="username" readonly required>
-          </div>
-<% } else { %>
-          <div class="form-group" ng-class="{ 'has-error': (setupForm.username.$dirty && setupForm.username.$invalid) }">
-            <label class="control-label">Username</label>
-            <div class="control-label" ng-show="setupForm.username.$dirty && setupForm.username.$invalid">
-              <small ng-show="setupForm.username.$error.minlength">The username is too short</small>
-              <small ng-show="setupForm.username.$error.maxlength">The username is too long</small>
-              <small ng-show="setupForm.username.$dirty && setupForm.username.$invalid">Not a valid username</small>
-            </div>
-            <input type="text" class="form-control" ng-model="username" name="username" required autofocus>
-          </div>
-<% } %>
-
-          <div class="form-group">
-            <label class="control-label">Full Name</label>
-            <input type="displayName" class="form-control" ng-model="displayName" name="displayName" required>
-          </div>
-
-          <div class="form-group" ng-class="{ 'has-error': (setupForm.password.$dirty && setupForm.password.$invalid) }">
-            <label class="control-label">New Password</label>
-            <div class="control-label" ng-show="setupForm.password.$dirty && setupForm.password.$invalid">
-              <small ng-show="setupForm.password.$dirty && setupForm.password.$invalid">Password must be atleast 8 characters</small>
-            </div>
-            <input type="password" class="form-control" ng-model="password" name="password" ng-pattern="/^.{8,}$/" required>
-          </div>
-
-          <div class="form-group" ng-class="{ 'has-error': (setupForm.passwordRepeat.$dirty && (password !== passwordRepeat)) }">
-            <label class="control-label">Repeat Password</label>
-            <div class="control-label" ng-show="setupForm.passwordRepeat.$dirty && (password !== passwordRepeat)">
-              <small ng-show="setupForm.passwordRepeat.$dirty && (password !== passwordRepeat)">Passwords don't match</small>
-            </div>
-            <input type="password" class="form-control" ng-model="passwordRepeat" name="passwordRepeat" required>
-          </div>
-
-          <center><input class="btn btn-primary btn-outline" type="submit" value="Setup" ng-disabled="setupForm.$invalid || password !== passwordRepeat"/></center>
-        </form>
-      </div>
-    </div>
-  </div>
-</div>
-
-<% include footer %>

src/oauth2views/callback.ejs

@@ -1,45 +0,0 @@
-<!-- callback tester -->
-
-<script>
-
-'use strict';
-
-var code = null;
-var redirectURI = null;
-var accessToken = null;
-var tokenType = null;
-var state = null;
-
-var args = window.location.search.slice(1).split('&');
-args.forEach(function (arg) {
-    var tmp = arg.split('=');
-    if (tmp[0] === 'redirectURI') {
-        redirectURI = window.decodeURIComponent(tmp[1]);
-    } else if (tmp[0] === 'code') {
-        code = window.decodeURIComponent(tmp[1]);
-    } else if (tmp[0] === 'state') {
-        state = window.decodeURIComponent(tmp[1]);
-    }
-});
-
-args = window.location.hash.slice(1).split('&');
-args.forEach(function (arg) {
-    var tmp = arg.split('=');
-    if (tmp[0] === 'access_token') {
-        accessToken = window.decodeURIComponent(tmp[1]);
-    } else if (tmp[0] === 'token_type') {
-        tokenType = window.decodeURIComponent(tmp[1]);
-    } else if (tmp[0] === 'state') {
-        state = window.decodeURIComponent(tmp[1]);
-    }
-});
-
-if (code && redirectURI) {
-    window.location.href = redirectURI + (redirectURI.indexOf('?') !== -1 ? '&' : '?') + 'code=' + code + (state ? '&state=' + state : '');
-} else if (redirectURI && accessToken) {
-    window.location.href = redirectURI + (redirectURI.indexOf('?') !== -1 ? '&' : '?') + 'token=' + accessToken + (state ? '&state=' + state : '');
-} else {
-    window.location.href = '/api/v1/session/login';
-}
-
-</script>

src/oauth2views/error.ejs

@@ -1,27 +0,0 @@
-<% include header %>
-
-<!-- error tester -->
-
-<div class="layout-content">
-
-  <div class="container" style="margin-top: 50px;">
-    <div class="row">
-      <div class="col-md-2"></div>
-      <div class="col-md-8">
-        <div class="alert alert-danger">
-          <%- message %>
-        </div>
-      </div>
-      <div class="col-md-2"></div>
-    </div>
-    <div class="row">
-      <div class="col-md-2"></div>
-      <div class="col-md-8 text-center">
-        <a href="<%- adminOrigin %>">Back</a>
-      </div>
-      <div class="col-md-2"></div>
-    </div>
-  </div>
-</div>
-
-<% include footer %>

src/oauth2views/footer.ejs

@@ -1,9 +0,0 @@
-
-    <footer class="text-center">
-      <span class="text-muted">&copy; 2016-19 <a href="https://cloudron.io" target="_blank">Cloudron</a></span>
-    </footer>
-
-	</div>
-
-</body>
-</html>

src/oauth2views/header.ejs

@@ -1,41 +0,0 @@
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height" />
-    <meta http-equiv="Content-Security-Policy" content="default-src 'unsafe-inline' 'unsafe-eval' 'self'; img-src 'self'" />
-
-    <title> <%= title %> </title>
-
-    <link href="/api/v1/cloudron/avatar?<%= Math.random() %>" rel="icon" type="image/png">
-
-    <!-- Theme CSS -->
-    <link href="<%= adminOrigin %>/theme.css" rel="stylesheet">
-
-    <!-- Custom Fonts -->
-    <link href="<%= adminOrigin %>/3rdparty/fontawesome/css/all.min.css" rel="stylesheet" rel="stylesheet" type="text/css">
-
-    <!-- jQuery-->
-    <script src="<%= adminOrigin %>/3rdparty/js/jquery.min.js"></script>
-
-    <!-- Bootstrap Core JavaScript -->
-    <script src="<%= adminOrigin %>/3rdparty/js/bootstrap.min.js"></script>
-
-    <!-- Angularjs scripts -->
-    <script src="<%= adminOrigin %>/3rdparty/js/angular.min.js"></script>
-    <script src="<%= adminOrigin %>/3rdparty/js/angular-loader.min.js"></script>
-
-</head>
-
-<body>
-
-  <div class="layout-root">
-
-    <nav class="navbar navbar-default navbar-static-top shadow" role="navigation" style="margin-bottom: 0">
-      <div class="container-fluid">
-        <div class="navbar-header">
-          <a href="/" class="navbar-brand navbar-brand-icon"><img src="/api/v1/cloudron/avatar?<%= Math.random() %>" width="40" height="40"/></a>
-          <a href="/" class="navbar-brand"><%= cloudronName %></a>
-        </div>
-      </div>
-    </nav>

src/oauth2views/login.ejs

@@ -1,58 +0,0 @@
-<% include header %>
-
-<!-- login tester -->
-
-<div class="layout-content">
-  <div class="card" style="padding: 20px; margin-top: 50px; max-width: 620px;">
-    <div class="row">
-      <div class="col-md-12" style="text-align: center;">
-        <img width="128" height="128" src="<%= applicationLogo %>?<%= Math.random() %>"/>
-        <h1><small>Login to</small> <%= applicationName %></h1>
-        <br/>
-      </div>
-    </div>
-    <br/>
-<% if (error) { -%>
-    <div class="row">
-      <div class="col-md-12">
-        <h4 class="has-error"><%= error %></h4>
-      </div>
-    </div>
-<% } -%>
-    <div class="row">
-      <div class="col-md-12">
-        <form id="loginForm" action="" method="post">
-          <input type="hidden" name="_csrf" value="<%= csrf %>"/>
-          <div class="form-group">
-            <label class="control-label" for="inputUsername">Username</label>
-            <input type="text" class="form-control" id="inputUsername" name="username" value="<%= username %>" autofocus required>
-          </div>
-          <div class="form-group">
-            <label class="control-label" for="inputPassword">Password</label>
-            <input type="password" class="form-control" name="password" id="inputPassword" value="<%= password %>" required>
-          </div>
-          <div class="form-group">
-            <label class="control-label" for="inputPassword">2FA Token (if enabled)</label>
-            <input type="text" class="form-control" name="totpToken" id="inputTotpToken" value="">
-          </div>
-          <input class="btn btn-primary btn-outline pull-right" type="submit" value="Sign in"/>
-        </form>
-        <a href="/api/v1/session/password/resetRequest.html">Reset password</a>
-      </div>
-    </div>
-  </div>
-</div>
-
-<script>
-
-(function () {
-    'use strict';
-
-    var search = window.location.search.slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});
-
-    document.getElementById('loginForm').action = '/api/v1/session/login?returnTo=' + search.returnTo;
-})();
-
-</script>
-
-<% include footer %>

src/oauth2views/password_reset.ejs

@@ -1,53 +0,0 @@
-<% include header %>
-
-<!-- tester -->
-
-<script>
-
-'use strict';
-
-// very basic angular app
-var app = angular.module('Application', []);
-app.controller('Controller', [function () {}]);
-
-</script>
-
-<div class="layout-content">
-
-  <center>
-    <h2>Hello <%= user.username %>, set a new password</h2>
-  </center>
-
-  <br/>
-
-  <div class="container" ng-app="Application" ng-controller="Controller">
-    <div class="row">
-      <div class="col-md-6 col-md-offset-3">
-        <form action="/api/v1/session/password/reset" method="post" name="resetForm" autocomplete="off" role="form" novalidate>
-          <input type="password" style="display: none;">
-          <input type="hidden" name="_csrf" value="<%= csrf %>"/>
-          <input type="hidden" name="email" value="<%= email %>"/>
-          <input type="hidden" name="resetToken" value="<%= resetToken %>"/>
-
-          <div class="form-group" ng-class="{ 'has-error': resetForm.password.$dirty && resetForm.password.$invalid }">
-            <label class="control-label" for="inputPassword">New Password</label>
-            <div class="control-label" ng-show="resetForm.password.$dirty && resetForm.password.$invalid">
-              <small ng-show="resetForm.password.$dirty && resetForm.password.$invalid">Password must be atleast 8 characters</small>
-            </div>
-            <input type="password" class="form-control" id="inputPassword" ng-model="password" name="password" ng-pattern="/^.{8,30}$/" autofocus required>
-          </div>
-          <div class="form-group" ng-class="{ 'has-error': resetForm.passwordRepeat.$dirty && (password !== passwordRepeat) }">
-            <label class="control-label" for="inputPasswordRepeat">Repeat Password</label>
-            <div class="control-label" ng-show="resetForm.passwordRepeat.$dirty && (password !== passwordRepeat)">
-              <small ng-show="resetForm.passwordRepeat.$dirty && (password !== passwordRepeat)">Passwords don't match</small>
-            </div>
-            <input type="password" class="form-control" id="inputPasswordRepeat" ng-model="passwordRepeat" name="passwordRepeat" required>
-          </div>
-          <input class="btn btn-primary btn-outline pull-right" type="submit" value="Set New Password" ng-disabled="resetForm.$invalid || password !== passwordRepeat"/>
-        </form>
-      </div>
-    </div>
-  </div>
-</div>
-
-<% include footer %>

src/oauth2views/password_reset_request.ejs

@@ -1,30 +0,0 @@
-<% include header %>
-
-<!-- tester -->
-
-<div class="layout-content">
-
-  <center>
-    <h2>Reset password</h2>
-  </center>
-
-  <br/>
-
-  <div class="container">
-    <div class="row">
-      <div class="col-md-6 col-md-offset-3">
-        <form action="/api/v1/session/password/resetRequest" method="post" autocomplete="off">
-          <input type="hidden" name="_csrf" value="<%= csrf %>"/>
-          <div class="form-group">
-            <label class="control-label" for="inputIdentifier">Username</label>
-            <input type="text" class="form-control" id="inputIdentifier" name="identifier" autofocus required>
-          </div>
-          <input class="btn btn-primary btn-outline pull-right" type="submit" value="Reset"/>
-        </form>
-        <a href="/api/v1/session/login">Login</a>
-      </div>
-    </div>
-  </div>
-</div>
-
-<% include footer %>

src/oauth2views/password_reset_sent.ejs

@@ -1,25 +0,0 @@
-<% include header %>
-
-<!-- tester -->
-
-<div class="layout-content">
-
-  <center>
-    <h2>Password reset successful</h2>
-  </center>
-
-  <br/>
-
-  <div class="container">
-    <div class="row">
-        <div class="col-md-6 col-md-offset-3 text-center">
-          <p>An email was sent to you with a link to set a new password.</p>
-          <br/>
-          <br/>
-          If you have not received any email, simply <a href="/api/v1/session/password/resetRequest.html">try again</a>.
-        </div>
-    </div>
-  </div>
-</div>
-
-<% include footer %>

src/paths.js

@@ -22,9 +22,7 @@ exports = module.exports = {
 
     PLATFORM_DATA_DIR: path.join(baseDir(), 'platformdata'),
     APPS_DATA_DIR: path.join(baseDir(), 'appsdata'),
-    BOX_DATA_DIR: path.join(baseDir(), 'boxdata'),
-
-    CUSTOM_FILE: path.join(baseDir(), 'boxdata/custom.yml'),
+    BOX_DATA_DIR: path.join(baseDir(), 'boxdata'),  // box data dir is part of box backup
 
     ACME_CHALLENGES_DIR: path.join(baseDir(), 'platformdata/acme'),
     ADDON_CONFIG_DIR: path.join(baseDir(), 'platformdata/addons'),
@@ -37,11 +35,9 @@ exports = module.exports = {
     UPDATE_DIR: path.join(baseDir(), 'platformdata/update'),
     SNAPSHOT_INFO_FILE: path.join(baseDir(), 'platformdata/backup/snapshot-info.json'),
     DYNDNS_INFO_FILE: path.join(baseDir(), 'platformdata/dyndns-info.json'),
+    FEATURES_INFO_FILE: path.join(baseDir(), 'platformdata/features-info.json'),
     VERSION_FILE: path.join(baseDir(), 'platformdata/VERSION'),
 
-    SESSION_SECRET_FILE: path.join(baseDir(), 'boxdata/session.secret'),
-    SESSION_DIR: path.join(baseDir(), 'platformdata/sessions'),
-
     // this is not part of appdata because an icon may be set before install
     APP_ICONS_DIR: path.join(baseDir(), 'boxdata/appicons'),
     PROFILE_ICONS_DIR: path.join(baseDir(), 'boxdata/profileicons'),
@@ -50,11 +46,14 @@ exports = module.exports = {
     APP_CERTS_DIR: path.join(baseDir(), 'boxdata/certs'),
     CLOUDRON_AVATAR_FILE: path.join(baseDir(), 'boxdata/avatar.png'),
     UPDATE_CHECKER_FILE: path.join(baseDir(), 'boxdata/updatechecker.json'),
+    ADDON_TURN_SECRET_FILE: path.join(baseDir(), 'boxdata/addon-turn-secret'),
 
     LOG_DIR: path.join(baseDir(), 'platformdata/logs'),
     TASKS_LOG_DIR: path.join(baseDir(), 'platformdata/logs/tasks'),
     CRASH_LOG_DIR: path.join(baseDir(), 'platformdata/logs/crash'),
 
+    GHOST_USER_FILE: path.join(baseDir(), 'platformdata/cloudron_ghost.json'),
+
     // this pattern is for the cloudron logs API route to work
     BACKUP_LOG_FILE: path.join(baseDir(), 'platformdata/logs/backup/app.log'),
     UPDATER_LOG_FILE: path.join(baseDir(), 'platformdata/logs/updater/app.log')

src/platform.js

@@ -133,11 +133,10 @@ function pruneInfraImages(callback) {
 function stopContainers(existingInfra, callback) {
     // always stop addons to restart them on any infra change, regardless of minor or major update
     if (existingInfra.version !== infra.version) {
-        // TODO: only nuke containers with isCloudronManaged=true
         debug('stopping all containers for infra upgrade');
         async.series([
-            shell.exec.bind(null, 'stopContainers', 'docker ps -qa --filter \'network=cloudron\' | xargs --no-run-if-empty docker stop'),
-            shell.exec.bind(null, 'stopContainers', 'docker ps -qa --filter \'network=cloudron\' | xargs --no-run-if-empty docker rm -f')
+            shell.exec.bind(null, 'stopContainers', 'docker ps -qa --filter \'label=isCloudronManaged\' | xargs --no-run-if-empty docker stop'),
+            shell.exec.bind(null, 'stopContainers', 'docker ps -qa --filter \'label=isCloudronManaged\' | xargs --no-run-if-empty docker rm -f')
         ], callback);
     } else {
         assert(typeof infra.images, 'object');
@@ -150,8 +149,8 @@ function stopContainers(existingInfra, callback) {
         let filterArg = changedAddons.map(function (c) { return `--filter 'name=${c}'`; }).join(' '); // name=c matches *c*. required for redis-{appid}
         // ignore error if container not found (and fail later) so that this code works across restarts
         async.series([
-            shell.exec.bind(null, 'stopContainers', `docker ps -qa ${filterArg} --filter 'network=cloudron' | xargs --no-run-if-empty docker stop || true`),
-            shell.exec.bind(null, 'stopContainers', `docker ps -qa ${filterArg} --filter 'network=cloudron' | xargs --no-run-if-empty docker rm -f || true`)
+            shell.exec.bind(null, 'stopContainers', `docker ps -qa ${filterArg} --filter 'label=isCloudronManaged' | xargs --no-run-if-empty docker stop || true`),
+            shell.exec.bind(null, 'stopContainers', `docker ps -qa ${filterArg} --filter 'label=isCloudronManaged' | xargs --no-run-if-empty docker rm -f || true`)
         ], callback);
     }
 }
@@ -165,7 +164,19 @@ function startApps(existingInfra, callback) {
         reverseProxy.removeAppConfigs(); // should we change the cert location, nginx will not start
         apps.configureInstalledApps(callback);
     } else {
-        debug('startApps: apps are already uptodate');
-        callback();
+        let changedAddons = [];
+        if (infra.images.mysql.tag !== existingInfra.images.mysql.tag) changedAddons.push('mysql');
+        if (infra.images.postgresql.tag !== existingInfra.images.postgresql.tag) changedAddons.push('postgresql');
+        if (infra.images.mongodb.tag !== existingInfra.images.mongodb.tag) changedAddons.push('mongodb');
+        if (infra.images.redis.tag !== existingInfra.images.redis.tag) changedAddons.push('redis');
+
+        if (changedAddons.length) {
+            // restart apps if docker image changes since the IP changes and any "persistent" connections fail
+            debug(`startApps: changedAddons: ${JSON.stringify(changedAddons)}`);
+            apps.restartAppsUsingAddons(changedAddons, callback);
+        } else {
+            debug('startApps: apps are already uptodate');
+            callback();
+        }
     }
 }

src/provision.js

@@ -15,7 +15,6 @@ var appstore = require('./appstore.js'),
     backups = require('./backups.js'),
     BoxError = require('./boxerror.js'),
     constants = require('./constants.js'),
-    clients = require('./clients.js'),
     cloudron = require('./cloudron.js'),
     debug = require('debug')('box:provision'),
     domains = require('./domains.js'),
@@ -27,9 +26,9 @@ var appstore = require('./appstore.js'),
     semver = require('semver'),
     settings = require('./settings.js'),
     sysinfo = require('./sysinfo.js'),
-    superagent = require('superagent'),
     users = require('./users.js'),
     tld = require('tldjs'),
+    tokens = require('./tokens.js'),
     _ = require('underscore');
 
 const NOOP_CALLBACK = function (error) { if (error) debug(error); };
@@ -122,7 +121,8 @@ function setup(dnsConfig, sysinfoConfig, auditSource, callback) {
                 provider: dnsConfig.provider,
                 config: dnsConfig.config,
                 fallbackCertificate: dnsConfig.fallbackCertificate || null,
-                tlsConfig: dnsConfig.tlsConfig || { provider: 'letsencrypt-prod' }
+                tlsConfig: dnsConfig.tlsConfig || { provider: 'letsencrypt-prod' },
+                dkimSelector: 'cloudron'
             };
 
             domains.add(domain, data, auditSource, function (error) {
@@ -138,7 +138,6 @@ function setup(dnsConfig, sysinfoConfig, auditSource, callback) {
                         settings.setSysinfoConfig.bind(null, sysinfoConfig),
                         domains.prepareDashboardDomain.bind(null, domain, auditSource, (progress) => setProgress('setup', progress.message, NOOP_CALLBACK)),
                         cloudron.setDashboardDomain.bind(null, domain, auditSource),
-                        mail.addDomain.bind(null, domain), // this relies on settings.mailFqdn() and settings.adminDomain()
                         setProgress.bind(null, 'setup', 'Done'),
                         eventlog.add.bind(null, eventlog.ACTION_PROVISION, auditSource, { })
                     ], function (error) {
@@ -151,31 +150,6 @@ function setup(dnsConfig, sysinfoConfig, auditSource, callback) {
     });
 }
 
-function setTimeZone(ip, callback) {
-    assert.strictEqual(typeof ip, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('setTimeZone ip:%s', ip);
-
-    superagent.get('https://geolocation.cloudron.io/json').query({ ip: ip }).timeout(10 * 1000).end(function (error, result) {
-        if ((error && !error.response) || result.statusCode !== 200) {
-            debug('Failed to get geo location: %s', error.message);
-            return callback(null);
-        }
-
-        var timezone = safe.query(result.body, 'location.time_zone');
-
-        if (!timezone || typeof timezone !== 'string') {
-            debug('No timezone in geoip response : %j', result.body);
-            return callback(null);
-        }
-
-        debug('Setting timezone to ', timezone);
-
-        settings.setTimeZone(timezone, callback);
-    });
-}
-
 function activate(username, password, email, displayName, ip, auditSource, callback) {
     assert.strictEqual(typeof username, 'string');
     assert.strictEqual(typeof password, 'string');
@@ -187,13 +161,11 @@ function activate(username, password, email, displayName, ip, auditSource, callb
 
     debug('activating user:%s email:%s', username, email);
 
-    setTimeZone(ip, function () { }); // TODO: get this from user. note that timezone is detected based on the browser location and not the cloudron region
-
     users.createOwner(username, password, email, displayName, auditSource, function (error, userObject) {
         if (error && error.reason === BoxError.ALREADY_EXISTS) return callback(new BoxError(BoxError.CONFLICT, 'Already activated'));
         if (error) return callback(error);
 
-        clients.addTokenByUserId('cid-webadmin', userObject.id, Date.now() + constants.DEFAULT_TOKEN_EXPIRATION, {}, function (error, result) {
+        tokens.add(tokens.ID_WEBADMIN, userObject.id, Date.now() + constants.DEFAULT_TOKEN_EXPIRATION, {}, function (error, result) {
             if (error) return callback(error);
 
             eventlog.add(eventlog.ACTION_ACTIVATE, auditSource, { });
@@ -234,9 +206,16 @@ function restore(backupConfig, backupId, version, sysinfoConfig, auditSource, ca
         if (error) return done(error);
         if (activated) return done(new BoxError(BoxError.CONFLICT, 'Already activated. Restore with a fresh Cloudron installation.'));
 
-        backups.testConfig(backupConfig, function (error) {
+        backups.testProviderConfig(backupConfig, function (error) {
             if (error) return done(error);
 
+            if ('password' in backupConfig) {
+                backupConfig.encryption = backups.generateEncryptionKeysSync(backupConfig.password);
+                delete backupConfig.password;
+            } else {
+                backupConfig.encryption = null;
+            }
+
             sysinfo.testConfig(sysinfoConfig, function (error) {
                 if (error) return done(error);
 
@@ -249,7 +228,7 @@ function restore(backupConfig, backupId, version, sysinfoConfig, auditSource, ca
                     backups.restore.bind(null, backupConfig, backupId, (progress) => setProgress('restore', progress.message, NOOP_CALLBACK)),
                     settings.setSysinfoConfig.bind(null, sysinfoConfig),
                     cloudron.setupDashboard.bind(null, auditSource, (progress) => setProgress('restore', progress.message, NOOP_CALLBACK)),
-                    settings.setBackupConfig.bind(null, backupConfig), // update with the latest backupConfig
+                    settings.setBackupCredentials.bind(null, backupConfig), // update just the credentials and not the policy and flags
                     eventlog.add.bind(null, eventlog.ACTION_RESTORE, auditSource, { backupId }),
                 ], function (error) {
                     gProvisionStatus.restore.active = false;
@@ -268,14 +247,16 @@ function getStatus(callback) {
     users.isActivated(function (error, activated) {
         if (error) return callback(error);
 
-        settings.getCloudronName(function (error, cloudronName) {
+        settings.getAll(function (error, allSettings) {
             if (error) return callback(error);
 
             callback(null, _.extend({
                 version: constants.VERSION,
                 apiServerOrigin: settings.apiServerOrigin(), // used by CaaS tool
+                webServerOrigin: settings.webServerOrigin(), // used by CaaS tool
                 provider: settings.provider(),
-                cloudronName: cloudronName,
+                cloudronName: allSettings[settings.CLOUDRON_NAME_KEY],
+                footer: allSettings[settings.FOOTER_KEY] || constants.FOOTER,
                 adminFqdn: settings.adminDomain() ? settings.adminFqdn() : null,
                 activated: activated,
             }, gProvisionStatus));