From c5d3e77c179667b025232c2e16a20734efa52da6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= <theophile.diot900@gmail.com>
Date: Wed, 14 Dec 2022 15:46:09 +0100
Subject: [PATCH] Fix letsencrypt permission error and optimize the ownership
 commands in scheduler

---
 .../core/letsencrypt/jobs/certbot-deploy.py   | 16 +++++----
 src/scheduler/Dockerfile                      |  4 +++
 src/scheduler/main.py                         | 33 +++++--------------
 3 files changed, 21 insertions(+), 32 deletions(-)

diff --git a/src/common/core/letsencrypt/jobs/certbot-deploy.py b/src/common/core/letsencrypt/jobs/certbot-deploy.py
index e119f3c22..2bcf8fcb4 100755
--- a/src/common/core/letsencrypt/jobs/certbot-deploy.py
+++ b/src/common/core/letsencrypt/jobs/certbot-deploy.py
@@ -1,8 +1,9 @@
 #!/usr/bin/python3
 
 from io import BytesIO
-from os import chmod, chown, getenv, walk
+from os import chmod, getenv, walk
 from os.path import exists, join
+from shutil import chown
 from subprocess import run, DEVNULL, STDOUT
 from sys import exit as sys_exit, path as sys_path
 from tarfile import open as tar_open
@@ -44,6 +45,13 @@ try:
     if bw_integration in ("Docker", "Swarm", "Kubernetes", "Autoconf"):
         # Create tarball of /data/cache/letsencrypt
         tgz = BytesIO()
+
+        # Fix permissions for the certificates
+        for root, dirs, files in walk("/data/cache/letsencrypt", topdown=False):
+            for name in files + dirs:
+                chown(join(root, name), "root", 101)
+                chmod(join(root, name), 0o770)
+
         with tar_open(mode="w:gz", fileobj=tgz) as tf:
             tf.add("/data/cache/letsencrypt", arcname=".")
         tgz.seek(0, 0)
@@ -54,12 +62,6 @@ try:
             host = instance["server_name"]
             api = API(endpoint, host=host)
 
-            # Fix permissions for the certificates
-            for root, dirs, files in walk("/lets-encrypt/certificates", topdown=False):
-                for name in files + dirs:
-                    chown(join(root, name), 101, 101)
-                    chmod(join(root, name), 0o770)
-
             sent, err, status, resp = api.request(
                 "POST", "/lets-encrypt/certificates", files=files
             )
diff --git a/src/scheduler/Dockerfile b/src/scheduler/Dockerfile
index 0e6e9df03..81b62b67d 100644
--- a/src/scheduler/Dockerfile
+++ b/src/scheduler/Dockerfile
@@ -57,6 +57,10 @@ RUN apk add --no-cache bash libgcc libstdc++ openssl && \
   mkdir /etc/nginx && \
   chown -R scheduler:scheduler /etc/nginx && \
   chmod -R 770 /etc/nginx && \
+  mkdir /var/log/letsencrypt /var/lib/letsencrypt && \
+  chown root:scheduler /var/log/letsencrypt /var/lib/letsencrypt && \
+  chmod 770 /var/log/letsencrypt /var/lib/letsencrypt && \
+  ln -s /proc/1/fd/1 /var/log/letsencrypt/letsencrypt.log && \
   chmod 660 /usr/share/bunkerweb/INTEGRATION
 
 # Fix CVEs
diff --git a/src/scheduler/main.py b/src/scheduler/main.py
index 105143af0..ed968fba5 100644
--- a/src/scheduler/main.py
+++ b/src/scheduler/main.py
@@ -6,7 +6,6 @@ from glob import glob
 from os import (
     _exit,
     chmod,
-    chown,
     getenv,
     getpid,
     listdir,
@@ -17,7 +16,7 @@ from os import (
     walk,
 )
 from os.path import dirname, exists, isdir, isfile, islink, join
-from shutil import copy, rmtree
+from shutil import chown, copy, rmtree
 from signal import SIGINT, SIGTERM, signal, SIGHUP
 from subprocess import run as subprocess_run, DEVNULL, STDOUT
 from sys import path as sys_path
@@ -55,12 +54,6 @@ signal(SIGINT, handle_stop)
 signal(SIGTERM, handle_stop)
 
 
-def imerge(a, b):
-    for i, j in zip(a, b):
-        yield i
-        yield j
-
-
 # Function to catch SIGHUP and reload the scheduler
 def handle_reload(signum, frame):
     global reloading, run, scheduler
@@ -111,12 +104,8 @@ def generate_custom_configs(
     # Fix permissions for the custom configs folder
     for root, dirs, files in walk("/data/configs", topdown=False):
         for name in files + dirs:
-            chown(join(root, name), 101, 101)
-
-            if isdir(join(root, name)):
-                chmod(join(root, name), 0o750)
-            if isfile(join(root, name)):
-                chmod(join(root, name), 0o740)
+            chown(join(root, name), "root", 101)
+            chmod(join(root, name), 0o770)
 
     if integration != "Linux":
         logger.info("Sending custom configs to BunkerWeb")
@@ -340,7 +329,7 @@ if __name__ == "__main__":
                     # Fix permissions for the nginx folder
                     for root, dirs, files in walk("/etc/nginx", topdown=False):
                         for name in files + dirs:
-                            chown(join(root, name), 101, 101)
+                            chown(join(root, name), "root", 101)
                             chmod(join(root, name), 0o770)
 
                     copy("/etc/nginx/variables.env", "/var/tmp/bunkerweb/variables.env")
@@ -354,17 +343,11 @@ if __name__ == "__main__":
                                 "Sending nginx configs failed, configuration will not work as expected...",
                             )
 
-            # Fix permissions for the cache and the custom configs folders
-            for root, dirs, files in imerge(
-                walk("/data/cache", topdown=False), walk("/data/configs", topdown=False)
-            ):
+            # Fix permissions for the cache folders
+            for root, dirs, files in walk("/data/cache", topdown=False):
                 for name in files + dirs:
-                    chown(join(root, name), 101, 101)
-
-                    if isdir(join(root, name)):
-                        chmod(join(root, name), 0o750)
-                    if isfile(join(root, name)):
-                        chmod(join(root, name), 0o740)
+                    chown(join(root, name), "root", 101)
+                    chmod(join(root, name), 0o770)
 
             try:
                 if len(api_caller._get_apis()) > 0: