From 952e0270cd798b2ca8cd91c50576ba80fc59b734 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Tue, 11 Sep 2018 00:00:39 +0200
Subject: [PATCH 1/9] [BR] patches to fix facebook guid

---
 rss-bridge | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rss-bridge b/rss-bridge
index c1494ad..3821ca9 160000
--- a/rss-bridge
+++ b/rss-bridge
@@ -1 +1 @@
-Subproject commit c1494adace180fae50d1476fcdec3648423f8ea2
+Subproject commit 3821ca9737eeafe6ef69ab57d980c233e6b2a00c

From c75aede91be92f8182320e93417fb03617940620 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Tue, 25 Sep 2018 16:35:42 +0200
Subject: [PATCH 2/9] postgresql with multiple users

---
 docker-compose.yml      | 10 +++++-----
 docker/dbconf.sql       |  3 +++
 docker/ttrss-config.php |  4 ++--
 docker/wait-db          |  4 +++-
 dodo.py                 | 10 +++++++---
 5 files changed, 20 insertions(+), 11 deletions(-)
 create mode 100644 docker/dbconf.sql

diff --git a/docker-compose.yml b/docker-compose.yml
index 416c9bf..b4754e6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,14 +2,14 @@ version: "3.6"
 
 services:
     db:
-        image: postgres:10
+        image: postgres:10-alpine
         container_name: feedati_db
         volumes:
             - postgres_data:/var/lib/postgresql/data
         environment:
-            - POSTGRES_USER=ttrss
-            - POSTGRES_PASSWORD=password-dev
-            - POSTGRES_DB=ttrss
+            - POSTGRES_USER=superadmin
+            - POSTGRES_PASSWORD=superpass
+            - POSTGRES_DB=feeds
         ports:
             - 5432:5432
 
@@ -37,7 +37,7 @@ services:
         environment:
             - PHP_DISPLAY_ERRORS=stdout
             - PHP_DISPLAY_STARTUP_ERROR=1
-        entrypoint: 'wait-db php7 /app/public/tt-rss/update.php --daemon'
+        entrypoint: 'env PGHOST=db PGDATABASE=feeds PGUSER=ttrss PGPASSWORD=ttpass wait-db php7 /app/public/tt-rss/update.php --daemon'
         ports: []
         depends_on:
             - db
diff --git a/docker/dbconf.sql b/docker/dbconf.sql
new file mode 100644
index 0000000..ac880ba
--- /dev/null
+++ b/docker/dbconf.sql
@@ -0,0 +1,3 @@
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+CREATE USER ttrss WITH PASSWORD 'ttpass';
+CREATE USER panel WITH PASSWORD 'panelpass';
diff --git a/docker/ttrss-config.php b/docker/ttrss-config.php
index 2cf3e36..ec230b6 100644
--- a/docker/ttrss-config.php
+++ b/docker/ttrss-config.php
@@ -6,8 +6,8 @@
 	define('DB_TYPE', 'pgsql');
 	define('DB_HOST', 'db');
 	define('DB_USER', 'ttrss');
-	define('DB_NAME', 'ttrss');
-	define('DB_PASS', 'password-dev');
+	define('DB_NAME', 'feeds');
+	define('DB_PASS', 'ttpass');
 	define('DB_PORT', '5432');
 
 	define('MYSQL_CHARSET', 'UTF8');
diff --git a/docker/wait-db b/docker/wait-db
index 3fa5627..94cd98a 100755
--- a/docker/wait-db
+++ b/docker/wait-db
@@ -1,7 +1,9 @@
 #!/bin/bash
+### psql configuration parameters must be received as environ vars
+### (PGHOST, PGDATABASE, PGUSER, PGPASSWORD)
 timeout=60
 for _ in $(seq 1 "$timeout"); do
-    if env PGPASSWORD=password-dev psql -h db -U ttrss -w ttrss -c "" -q 2> /dev/null; then
+    if psql -w -c "" -q 2> /dev/null; then
         echo "DB ready"
         exec "$@"
     fi
diff --git a/dodo.py b/dodo.py
index 83d0c21..1a99626 100644
--- a/dodo.py
+++ b/dodo.py
@@ -69,14 +69,18 @@ def task_dbprepare():
     '''applica il dump sql al container del db'''
     return {
         'setup': ['_dbprepare_clean', 'build'],
-        'file_dep': ['docker/ttrss.sql'],
+        'file_dep': list(scan_dir('docker', '*.sql')),
         'actions': [
                     (COMPOSE + ' up -d db').split(),
                     (wait_net_service, ('localhost', 5432, 300)),
-                    (wait_pgsql_db, ('feedati_db', 'ttrss', 'ttrss')),
+                    (wait_pgsql_db, ('feedati_db', 'feeds', 'superadmin')),
                     'echo LOADING DB',
+                    # dbconf.sql would be better put in /docker-entrypoint-initdb.d/init-user-db.sh
+                    # (see https://hub.docker.com/r/library/postgres/ )
                     r'docker exec -i $(docker ps -aqf name=feedati_db) '
-                    'psql -h 127.0.0.1 -f - -d ttrss ttrss < docker/ttrss.sql',
+                    'env PGPASSWORD=superpass psql -h 127.0.0.1 -f  - -d feeds superadmin < docker/dbconf.sql',
+                    r'docker exec -i $(docker ps -aqf name=feedati_db) '
+                    'env PGPASSWORD=ttpass psql -h 127.0.0.1 -f - -d feeds ttrss < docker/ttrss.sql',
                     'echo DB RESTORED',
                     ],
         'teardown': [(stop, [])],

From 3d257e75817e305085cace839c3416383db3a66b Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Sat, 29 Sep 2018 23:57:11 +0200
Subject: [PATCH 3/9] add panel submodule

---
 .gitmodules       | 3 +++
 docker/dbconf.sql | 1 +
 panel             | 1 +
 3 files changed, 5 insertions(+)
 create mode 160000 panel

diff --git a/.gitmodules b/.gitmodules
index ddbae3c..912edf8 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -5,3 +5,6 @@
 [submodule "rss-bridge"]
 	path = rss-bridge
 	url = https://git.lattuga.net/blallo/rss-bridge.git
+[submodule "panel"]
+	path = panel
+	url = https://git.lattuga.net/blallo/feedpanel
diff --git a/docker/dbconf.sql b/docker/dbconf.sql
index ac880ba..cdd474b 100644
--- a/docker/dbconf.sql
+++ b/docker/dbconf.sql
@@ -1,3 +1,4 @@
 CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
 CREATE USER ttrss WITH PASSWORD 'ttpass';
 CREATE USER panel WITH PASSWORD 'panelpass';
+GRANT CREATE ON DATABASE feeds  TO 'panel';
diff --git a/panel b/panel
new file mode 160000
index 0000000..4bc6c09
--- /dev/null
+++ b/panel
@@ -0,0 +1 @@
+Subproject commit 4bc6c099773b60540d7f9ea9f660269b88e2565b

From 5cab65d85f25e964329e342ea7e2897bb9659913 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Sat, 29 Sep 2018 23:57:36 +0200
Subject: [PATCH 4/9] (bad) test for panelcli integration

---
 docker-compose.yml      | 7 +++++++
 docker/dbconf-perms.sql | 6 ++++++
 docker/dbconf.sql       | 4 +++-
 dodo.py                 | 3 +++
 4 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 docker/dbconf-perms.sql

diff --git a/docker-compose.yml b/docker-compose.yml
index b4754e6..2837f65 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -72,5 +72,12 @@ services:
         image: jumanjiman/rsyslog:latest
         container_name: feedati_syslog
 
+    panel:
+        image: feedati/feedspanel:latest
+        build:
+            context:
+                ./panel/
+        container_name: feedati_panel
+
 volumes:
     postgres_data:
diff --git a/docker/dbconf-perms.sql b/docker/dbconf-perms.sql
new file mode 100644
index 0000000..5cee225
--- /dev/null
+++ b/docker/dbconf-perms.sql
@@ -0,0 +1,6 @@
+-- these commands must be given AFTER `panelcli setup` has been run
+-- and ttrss has created its tables
+-- having a 'ALTER DEFAULT PRIVILEGES IN SCHEMA public' might be a little cleaner than this
+GRANT USAGE ON SCHEMA users TO apache;
+GRANT SELECT ON TABLE users.users TO apache;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO panel;
diff --git a/docker/dbconf.sql b/docker/dbconf.sql
index cdd474b..4ad2d8f 100644
--- a/docker/dbconf.sql
+++ b/docker/dbconf.sql
@@ -1,4 +1,6 @@
 CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
 CREATE USER ttrss WITH PASSWORD 'ttpass';
 CREATE USER panel WITH PASSWORD 'panelpass';
-GRANT CREATE ON DATABASE feeds  TO 'panel';
+GRANT CREATE ON DATABASE feeds  TO panel;
+GRANT CREATE ON DATABASE feeds  TO ttrss;
+CREATE USER apache WITH PASSWORD 'apachepass';
diff --git a/dodo.py b/dodo.py
index 1a99626..2136340 100644
--- a/dodo.py
+++ b/dodo.py
@@ -81,6 +81,9 @@ def task_dbprepare():
                     'env PGPASSWORD=superpass psql -h 127.0.0.1 -f  - -d feeds superadmin < docker/dbconf.sql',
                     r'docker exec -i $(docker ps -aqf name=feedati_db) '
                     'env PGPASSWORD=ttpass psql -h 127.0.0.1 -f - -d feeds ttrss < docker/ttrss.sql',
+                    'docker run feedati/feedspanel -db-pass panelpass -db-addr db:5432 batch',
+                    r'env PGPASSWORD=ttpass psql -h 127.0.0.1 -f - -d feeds ttrss <<< '
+                    '"GRANT SELECT ON TABLE users.users TO \'apache\'"',
                     'echo DB RESTORED',
                     ],
         'teardown': [(stop, [])],

From b23df82c75c9289d55731683ef089cdb7c5af783 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Sun, 30 Sep 2018 00:40:06 +0200
Subject: [PATCH 5/9] apache authenticates on DB

---
 docker-compose.yml                   |  7 +++++--
 docker/Dockerfile-frontend           |  5 +++++
 docker/frontend-apache.conf          | 17 +++++++++--------
 docker/frontend-apache/passwords.txt |  1 -
 4 files changed, 19 insertions(+), 11 deletions(-)
 create mode 100644 docker/Dockerfile-frontend
 delete mode 100644 docker/frontend-apache/passwords.txt

diff --git a/docker-compose.yml b/docker-compose.yml
index 2837f65..6b940b7 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -56,11 +56,14 @@ services:
             - APACHE_SERVER_NAME=rss-bridge
 
     feedati-fe:
-        image: httpd:2.4-alpine
+        image: feedati/frontend
+        build:
+            context: .
+            dockerfile: ./docker/Dockerfile-frontend
         container_name: feedati_webserver
         volumes:
             - ./docker/frontend-apache.conf:/usr/local/apache2/conf/httpd.conf:ro
-            - ./docker/frontend-apache/:/etc/apache2/:ro
+            # - ./docker/frontend-apache/:/etc/apache2/:ro
             - ./docker/frontend-login/:/var/www/login/:ro
         ports:
             - 80:80
diff --git a/docker/Dockerfile-frontend b/docker/Dockerfile-frontend
new file mode 100644
index 0000000..11963c1
--- /dev/null
+++ b/docker/Dockerfile-frontend
@@ -0,0 +1,5 @@
+FROM httpd:2.4-alpine
+
+RUN apk --no-cache add apr-util-dbd_pgsql
+
+# vim: set ft=dockerfile:
diff --git a/docker/frontend-apache.conf b/docker/frontend-apache.conf
index 511c8ca..077364d 100644
--- a/docker/frontend-apache.conf
+++ b/docker/frontend-apache.conf
@@ -16,8 +16,8 @@ LoadModule headers_module modules/mod_headers.so
 LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule unixd_module modules/mod_unixd.so
-LoadModule status_module modules/mod_status.so
-LoadModule autoindex_module modules/mod_autoindex.so
+#LoadModule status_module modules/mod_status.so
+#LoadModule autoindex_module modules/mod_autoindex.so
 LoadModule dir_module modules/mod_dir.so
 LoadModule alias_module modules/mod_alias.so
 
@@ -27,8 +27,8 @@ LoadModule session_cookie_module modules/mod_session_cookie.so
 LoadModule request_module modules/mod_request.so
 LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule auth_form_module modules/mod_auth_form.so
-LoadModule authn_file_module modules/mod_authn_file.so
-# LoadModule authn_dbm_module modules/mod_authn_dbm.so
+LoadModule authn_dbd_module modules/mod_authn_dbd.so
+LoadModule dbd_module modules/mod_dbd.so
 
 LoadModule macro_module modules/mod_macro.so
 LoadModule rewrite_module modules/mod_rewrite.so
@@ -50,13 +50,14 @@ ServerAdmin you@example.com
 
 ServerName feedati-fe:80
 
+DBDriver pgsql
+DBDParams "host=db dbname=feeds user=apache password=apachepass"
+
 <Macro Auth>
     AuthFormLoginRequiredLocation "/login/"
-    AuthFormLoginRequiredLocation "/login/"
-    AuthFormProvider file
 # authn
-    AuthFormProvider file
-    AuthUserFile /etc/apache2/passwords.txt
+    AuthFormProvider dbd
+    AuthDBDUserPWQuery "SELECT password FROM users.users WHERE username = %s"
 # form
     AuthType form
     AuthName "authenticationform"
diff --git a/docker/frontend-apache/passwords.txt b/docker/frontend-apache/passwords.txt
deleted file mode 100644
index 1a1c6ad..0000000
--- a/docker/frontend-apache/passwords.txt
+++ /dev/null
@@ -1 +0,0 @@
-admin:$2y$05$tPaBuT/mWQCvfk1C12PmV.0Dz8kt0cY1jcD53OGCN26Y8dX2kRPs.

From ecfa79d654a80fd53586e80ccbacec1498c7a7e0 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Sun, 30 Sep 2018 11:39:49 +0200
Subject: [PATCH 6/9] dbprepare: create panel tabels + refactor

---
 dodo.py | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/dodo.py b/dodo.py
index 2136340..99aad1f 100644
--- a/dodo.py
+++ b/dodo.py
@@ -18,6 +18,7 @@ def task_build():
         'uptodate': [up2date_anyimages],
         'file_dep': ['docker-compose.yml',
                      'rss-bridge/Dockerfile',
+                     'panel/Dockerfile',
                      ] + list(scan_dir('docker')),
         'actions': [COMPOSE + ' build'],
         'clean': [run_task_func(task__build_rm),
@@ -66,24 +67,24 @@ def stop():
 
 
 def task_dbprepare():
-    '''applica il dump sql al container del db'''
+    '''applica il dump sql al container del db''' 
+    panelcli = 'docker-compose -p feedati exec -T panel ./panelcli -db-pass panelpass -db-addr db:5432 '
+    psql = r'docker exec -i $(docker ps -aqf name=feedati_db) env PGPASSWORD=superpass psql -h 127.0.0.1 -f  - -d feeds superadmin '
     return {
         'setup': ['_dbprepare_clean', 'build'],
         'file_dep': list(scan_dir('docker', '*.sql')),
         'actions': [
-                    (COMPOSE + ' up -d db').split(),
+                    (COMPOSE + ' up -d db panel').split(),
                     (wait_net_service, ('localhost', 5432, 300)),
                     (wait_pgsql_db, ('feedati_db', 'feeds', 'superadmin')),
                     'echo LOADING DB',
                     # dbconf.sql would be better put in /docker-entrypoint-initdb.d/init-user-db.sh
                     # (see https://hub.docker.com/r/library/postgres/ )
-                    r'docker exec -i $(docker ps -aqf name=feedati_db) '
-                    'env PGPASSWORD=superpass psql -h 127.0.0.1 -f  - -d feeds superadmin < docker/dbconf.sql',
-                    r'docker exec -i $(docker ps -aqf name=feedati_db) '
-                    'env PGPASSWORD=ttpass psql -h 127.0.0.1 -f - -d feeds ttrss < docker/ttrss.sql',
-                    'docker run feedati/feedspanel -db-pass panelpass -db-addr db:5432 batch',
-                    r'env PGPASSWORD=ttpass psql -h 127.0.0.1 -f - -d feeds ttrss <<< '
-                    '"GRANT SELECT ON TABLE users.users TO \'apache\'"',
+                    psql + ' < docker/dbconf.sql',
+                    psql + ' < docker/ttrss.sql',
+                    panelcli + 'setup',
+                    panelcli + 'adduser -password password admin ad@m.in',
+                    psql + ' <<< "GRANT SELECT ON TABLE users.users TO \'apache\'"',
                     'echo DB RESTORED',
                     ],
         'teardown': [(stop, [])],

From d8d15795b178c489044b90c73457b1a75999d245 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Sun, 30 Sep 2018 11:43:39 +0200
Subject: [PATCH 7/9] panel HTTP server

---
 panel | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/panel b/panel
index 4bc6c09..d7fcf9f 160000
--- a/panel
+++ b/panel
@@ -1 +1 @@
-Subproject commit 4bc6c099773b60540d7f9ea9f660269b88e2565b
+Subproject commit d7fcf9f249f9f4ecdb078e6b1fadb880fcfc66ab

From 15444cab1a07b5451d997fc9a2e113fb86ca1653 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Sun, 30 Sep 2018 11:46:55 +0200
Subject: [PATCH 8/9] fix DB permissions to apache user

---
 dodo.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dodo.py b/dodo.py
index 99aad1f..790c652 100644
--- a/dodo.py
+++ b/dodo.py
@@ -84,7 +84,7 @@ def task_dbprepare():
                     psql + ' < docker/ttrss.sql',
                     panelcli + 'setup',
                     panelcli + 'adduser -password password admin ad@m.in',
-                    psql + ' <<< "GRANT SELECT ON TABLE users.users TO \'apache\'"',
+                    psql + ' < docker/dbconf-perms.sql',
                     'echo DB RESTORED',
                     ],
         'teardown': [(stop, [])],

From f724dddb02eae72e64389c716c4fdaa3fe040c48 Mon Sep 17 00:00:00 2001
From: boyska <piuttosto@logorroici.org>
Date: Sun, 30 Sep 2018 23:18:55 +0200
Subject: [PATCH 9/9] frontend goes to /panel/, which "understand" users

---
 docker/frontend-apache.conf | 12 +++++++++++-
 panel                       |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/docker/frontend-apache.conf b/docker/frontend-apache.conf
index 077364d..60e7c2b 100644
--- a/docker/frontend-apache.conf
+++ b/docker/frontend-apache.conf
@@ -70,7 +70,7 @@ DBDParams "host=db dbname=feeds user=apache password=apachepass"
 <Location "/login/do">
 SetHandler form-login-handler
 Use Auth
-AuthFormLoginSuccessLocation "/tt-rss/"
+AuthFormLoginSuccessLocation "/panel/"
 </Location>
 
 <Directory />
@@ -210,4 +210,14 @@ ProxyPassReverse http://rss-bridge/
 Require all granted
 </Location>
 
+<Location /panel/>
+ProxyPass http://panel:8000/panel/
+ProxyPassReverse http://panel:8000/panel/
+Use Auth
+Require valid-user
+RewriteEngine on
+RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER},NS]
+RequestHeader set X-Forwarded-User %{RU}e
+</Location>
+
 # vim: set ft=apache bkc=yes:
diff --git a/panel b/panel
index d7fcf9f..5abac50 160000
--- a/panel
+++ b/panel
@@ -1 +1 @@
-Subproject commit d7fcf9f249f9f4ecdb078e6b1fadb880fcfc66ab
+Subproject commit 5abac50fca9b5ce0bfc7dddbed88d48f184900cc