diff --git a/CLAUDE.md b/CLAUDE.md index 664c3df7..b6d1c3a3 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -35,7 +35,10 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co 1. **RPCD Script Naming:** Nom fichier = objet ubus (`luci.system-hub`) 2. **Menu Path Matching:** Path menu = fichier vue (`system-hub/overview.js`) 3. **Permissions:** RPCD = 755, CSS/JS = 644 + - **Auto-fix:** `./secubox-tools/fix-permissions.sh --local` (avant commit) + - **Auto-fix remote:** `./secubox-tools/fix-permissions.sh --remote` (après deploy) 4. **Validation:** Toujours exécuter `./secubox-tools/validate-modules.sh` avant commit + - **7 checks automatiques:** RPCD naming, menu paths, view files, RPCD permissions, JSON syntax, ubus naming, **htdocs permissions** 5. **CSS Variables:** Toujours utiliser `var(--sh-*)`, jamais hardcoder les couleurs 6. **Dark Mode:** Toujours supporter dark mode avec `[data-theme="dark"]` 7. **Typography:** Inter (texte), JetBrains Mono (valeurs numériques) @@ -77,8 +80,19 @@ opkg install /tmp/luci-app-*.ipk ### Validation ```bash -# Run comprehensive module validation (RECOMMENDED) +# Fix file permissions FIRST (CRITICAL) +./secubox-tools/fix-permissions.sh --local + +# Run comprehensive module validation (RECOMMENDED - 7 checks) ./secubox-tools/validate-modules.sh +# Checks: +# 1. RPCD script names vs ubus objects +# 2. Menu paths vs view file locations +# 3. View files have menu entries +# 4. RPCD script permissions (755) +# 5. JSON syntax validation +# 6. ubus object naming convention +# 7. htdocs file permissions (644 for CSS/JS) ← NEW # Validate shell scripts (RPCD backends) shellcheck luci-app-*/root/usr/libexec/rpcd/* @@ -89,6 +103,9 @@ find . -name "*.json" -exec jsonlint {} \; # Run automated repair tool ./secubox-tools/secubox-repair.sh +# Fix permissions on deployed router +./secubox-tools/fix-permissions.sh --remote + # Run diagnostics ./secubox-tools/secubox-debug.sh luci-app- ``` diff --git a/DEVELOPMENT-GUIDELINES.md b/DEVELOPMENT-GUIDELINES.md index 668b0a16..a0e01bd9 100644 --- a/DEVELOPMENT-GUIDELINES.md +++ b/DEVELOPMENT-GUIDELINES.md @@ -1288,6 +1288,51 @@ find /usr/libexec/rpcd/ -name 'luci.*' -exec chmod 755 {} \; EOF ``` +**⚡ Correction Automatique (Recommandé):** + +Utiliser le script automatique qui vérifie et corrige toutes les permissions: + +```bash +# Corriger permissions locales (source code) +./secubox-tools/fix-permissions.sh --local + +# Corriger permissions sur routeur +./secubox-tools/fix-permissions.sh --remote + +# Corriger les deux (local + remote) +./secubox-tools/fix-permissions.sh +``` + +Le script `fix-permissions.sh` effectue automatiquement: +- ✅ Fixe tous les RPCD scripts à 755 +- ✅ Fixe tous les CSS à 644 +- ✅ Fixe tous les JS à 644 +- ✅ Vérifie qu'aucun fichier 600 ne reste +- ✅ Clear cache et restart services (remote mode) +- ✅ Affiche un rapport complet des changements + +**🔍 Validation Automatique des Permissions:** + +Le script `validate-modules.sh` inclut maintenant un Check 7 qui vérifie automatiquement les permissions: + +```bash +./secubox-tools/validate-modules.sh + +# Check 7 validera: +# ✓ Tous les RPCD sont 755 +# ✓ Tous les CSS sont 644 +# ✓ Tous les JS sont 644 +# ❌ Affichera erreurs si permissions incorrectes +``` + +**Workflow recommandé:** +1. Développer/modifier code +2. `./secubox-tools/fix-permissions.sh --local` (avant commit) +3. `./secubox-tools/validate-modules.sh` (vérifier tout) +4. Commit & push +5. Deploy sur routeur +6. `./secubox-tools/fix-permissions.sh --remote` (après deploy) + #### 3. Post-Deployment Verification **Checklist après déploiement:** diff --git a/QUICK-START.md b/QUICK-START.md index e348a549..402ceff0 100644 --- a/QUICK-START.md +++ b/QUICK-START.md @@ -54,7 +54,10 @@ ssh root@192.168.8.191 "find /www/luci-static -name '*.js' -exec chmod 644 {} \; ### 5. Common Errors Quick Fix ```bash -# HTTP 403 Forbidden +# HTTP 403 Forbidden (BEST: use automated script) +./secubox-tools/fix-permissions.sh --remote # Auto-fix all permissions + +# OR manual fix: chmod 644 /www/luci-static/resources/**/*.{js,css} # No space left on device @@ -116,9 +119,12 @@ grid-template-columns: repeat(auto-fit, minmax(300px, 1fr)); ### Validation ```bash -# Valider TOUT avant commit +# Valider TOUT avant commit (7 checks incluant permissions) ./secubox-tools/validate-modules.sh +# Corriger automatiquement les permissions +./secubox-tools/fix-permissions.sh --local + # JSON jsonlint file.json @@ -176,10 +182,11 @@ ssh root@router "logread | grep -i error" ## 📋 Pre-Commit Checklist -- [ ] `./secubox-tools/validate-modules.sh` ✅ +- [ ] `./secubox-tools/fix-permissions.sh --local` ✅ (auto-fix) +- [ ] `./secubox-tools/validate-modules.sh` ✅ (7 checks) - [ ] RPCD name = ubus object name - [ ] Menu path = view file path -- [ ] Permissions: 755 (RPCD), 644 (CSS/JS) +- [ ] Permissions: 755 (RPCD), 644 (CSS/JS) - auto-verified - [ ] JSON valide (jsonlint) - [ ] CSS: variables utilisées (pas hardcode) - [ ] CSS: dark mode supporté diff --git a/secubox-tools/fix-permissions.sh b/secubox-tools/fix-permissions.sh new file mode 100755 index 00000000..5265d54f --- /dev/null +++ b/secubox-tools/fix-permissions.sh @@ -0,0 +1,181 @@ +#!/bin/bash +# +# SecuBox Permission Fix Script +# Automatically fixes file permissions for LuCI modules +# +# CRITICAL PERMISSIONS: +# - RPCD scripts (root/usr/libexec/rpcd/*): 755 (rwxr-xr-x) - Must be executable +# - CSS files (htdocs/**/*.css): 644 (rw-r--r--) - Web server readable +# - JS files (htdocs/**/*.js): 644 (rw-r--r--) - Web server readable +# + +set -e + +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +LOCAL_MODE=false +REMOTE_MODE=false +ROUTER="" + +# Parse arguments +while [[ $# -gt 0 ]]; do + case $1 in + --local) + LOCAL_MODE=true + shift + ;; + --remote) + REMOTE_MODE=true + ROUTER="${2:-root@192.168.8.191}" + shift 2 + ;; + *) + echo "Usage: $0 [--local] [--remote [router]]" + echo "" + echo " --local Fix permissions in local source tree (development)" + echo " --remote [addr] Fix permissions on router (default: root@192.168.8.191)" + echo "" + echo "If no option specified, fixes both local and remote." + exit 1 + ;; + esac +done + +# If neither specified, do both +if [ "$LOCAL_MODE" = false ] && [ "$REMOTE_MODE" = false ]; then + LOCAL_MODE=true + REMOTE_MODE=true + ROUTER="root@192.168.8.191" +fi + +echo "========================================" +echo "SecuBox Permission Fix" +echo "========================================" +echo "" + +# Fix local permissions +if [ "$LOCAL_MODE" = true ]; then + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo -e "${BLUE}Fixing Local Source Permissions${NC}" + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo "" + + RPCD_FIXED=0 + CSS_FIXED=0 + JS_FIXED=0 + + for module_dir in luci-app-*/; do + module_name=$(basename "$module_dir") + + # Fix RPCD scripts (must be executable: 755) + rpcd_dir="$module_dir/root/usr/libexec/rpcd" + if [ -d "$rpcd_dir" ]; then + while IFS= read -r script; do + if [ -n "$script" ] && [ ! -x "$script" ]; then + chmod 755 "$script" + echo " ✓ $module_name: RPCD $(basename $script) → 755" + ((RPCD_FIXED++)) + fi + done < <(find "$rpcd_dir" -type f ! -name "*.md" 2>/dev/null) + fi + + # Fix CSS files (must be readable: 644) + htdocs_dir="$module_dir/htdocs" + if [ -d "$htdocs_dir" ]; then + while IFS= read -r css_file; do + if [ -n "$css_file" ]; then + current_perms=$(stat -c "%a" "$css_file" 2>/dev/null) + if [ "$current_perms" != "644" ]; then + chmod 644 "$css_file" + echo " ✓ $module_name: $(basename $css_file) $current_perms → 644" + ((CSS_FIXED++)) + fi + fi + done < <(find "$htdocs_dir" -name "*.css" -type f 2>/dev/null) + + # Fix JS files (must be readable: 644) + while IFS= read -r js_file; do + if [ -n "$js_file" ]; then + current_perms=$(stat -c "%a" "$js_file" 2>/dev/null) + if [ "$current_perms" != "644" ]; then + chmod 644 "$js_file" + echo " ✓ $module_name: $(basename $js_file) $current_perms → 644" + ((JS_FIXED++)) + fi + fi + done < <(find "$htdocs_dir" -name "*.js" -type f 2>/dev/null) + fi + done + + echo "" + echo -e "${GREEN}Local Permissions Fixed:${NC}" + echo " RPCD scripts: $RPCD_FIXED" + echo " CSS files: $CSS_FIXED" + echo " JS files: $JS_FIXED" + echo "" +fi + +# Fix remote permissions +if [ "$REMOTE_MODE" = true ]; then + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo -e "${BLUE}Fixing Remote Permissions ($ROUTER)${NC}" + echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}" + echo "" + + # Test connection + if ! ssh "$ROUTER" "echo 'Connection OK'" >/dev/null 2>&1; then + echo -e "${YELLOW}⚠️ Cannot connect to $ROUTER${NC}" + echo " → Check router IP and SSH access" + exit 1 + fi + + echo " → Fixing RPCD script permissions (755)..." + ssh "$ROUTER" "find /usr/libexec/rpcd -name 'luci.*' -type f -exec chmod 755 {} \;" 2>/dev/null || true + + echo " → Fixing CSS file permissions (644)..." + ssh "$ROUTER" "find /www/luci-static/resources -name '*.css' -type f -exec chmod 644 {} \;" 2>/dev/null || true + + echo " → Fixing JS file permissions (644)..." + ssh "$ROUTER" "find /www/luci-static/resources -name '*.js' -type f -exec chmod 644 {} \;" 2>/dev/null || true + + # Verify no files left with 600 + REMAINING_600=$(ssh "$ROUTER" "find /www/luci-static/resources -type f \( -name '*.js' -o -name '*.css' \) -perm 600 | wc -l" 2>/dev/null || echo "0") + + echo "" + if [ "$REMAINING_600" -eq 0 ]; then + echo -e "${GREEN}✓ All remote permissions fixed!${NC}" + else + echo -e "${YELLOW}⚠️ Warning: $REMAINING_600 files still have 600 permissions${NC}" + fi + + echo "" + echo " → Clearing LuCI cache..." + ssh "$ROUTER" "rm -f /tmp/luci-indexcache /tmp/luci-modulecache/* 2>/dev/null" || true + + echo " → Restarting services..." + ssh "$ROUTER" "/etc/init.d/rpcd restart && /etc/init.d/uhttpd restart" >/dev/null 2>&1 || true + + echo "" + echo -e "${GREEN}✓ Remote permissions fixed and services restarted${NC}" + echo "" +fi + +echo "========================================" +echo -e "${GREEN}✓ Permission Fix Complete!${NC}" +echo "========================================" +echo "" + +if [ "$LOCAL_MODE" = true ]; then + echo "Next steps:" + echo " 1. Run validation: ./secubox-tools/validate-modules.sh" + echo " 2. Build packages: ./secubox-tools/local-build.sh build" + echo " 3. Deploy to router" +fi + +if [ "$REMOTE_MODE" = true ]; then + echo "Test modules in browser (use private mode: Ctrl+Shift+N)" + echo " → https://192.168.8.191/cgi-bin/luci/admin/secubox" +fi diff --git a/secubox-tools/validate-modules.sh b/secubox-tools/validate-modules.sh index 7e93aaec..1da33657 100755 --- a/secubox-tools/validate-modules.sh +++ b/secubox-tools/validate-modules.sh @@ -240,20 +240,77 @@ for module_dir in luci-app-*/; do done echo "" +# Check 7: htdocs files must have correct permissions (644 for web server) +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" +echo "7. Validating htdocs file permissions (CSS/JS must be 644)" +echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━" +echo "" + +PERMISSION_ERRORS=0 + +for module_dir in luci-app-*/; do + module_name=$(basename "$module_dir") + htdocs_dir="$module_dir/htdocs" + + if [ -d "$htdocs_dir" ]; then + # Check CSS files + while IFS= read -r css_file; do + if [ -n "$css_file" ]; then + perms=$(stat -c "%a" "$css_file" 2>/dev/null) + if [ "$perms" != "644" ]; then + error "$module_name: CSS file has wrong permissions: $css_file ($perms, should be 644)" + echo " → Run: chmod 644 $css_file" + ((PERMISSION_ERRORS++)) + else + success "$module_name: CSS file has correct permissions (644): $(basename $css_file)" + fi + fi + done < <(find "$htdocs_dir" -name "*.css" -type f 2>/dev/null) + + # Check JS files + while IFS= read -r js_file; do + if [ -n "$js_file" ]; then + perms=$(stat -c "%a" "$js_file" 2>/dev/null) + if [ "$perms" != "644" ]; then + error "$module_name: JS file has wrong permissions: $js_file ($perms, should be 644)" + echo " → Run: chmod 644 $js_file" + ((PERMISSION_ERRORS++)) + else + success "$module_name: JS file has correct permissions (644): $(basename $js_file)" + fi + fi + done < <(find "$htdocs_dir" -name "*.js" -type f 2>/dev/null) + fi +done + +if [ $PERMISSION_ERRORS -gt 0 ]; then + echo "" + echo -e "${YELLOW}⚠️ To fix all permission errors automatically, run:${NC}" + echo " ./secubox-tools/fix-permissions.sh --local" +fi +echo "" + +# Add permission errors to total error count +TOTAL_ERRORS=$((ERRORS + PERMISSION_ERRORS)) + # Summary echo "========================================" echo "Validation Summary" echo "========================================" echo "" -if [ $ERRORS -eq 0 ] && [ $WARNINGS -eq 0 ]; then +if [ $TOTAL_ERRORS -eq 0 ] && [ $WARNINGS -eq 0 ]; then echo -e "${GREEN}✓ All checks passed!${NC}" exit 0 -elif [ $ERRORS -eq 0 ]; then +elif [ $TOTAL_ERRORS -eq 0 ]; then echo -e "${YELLOW}✓ All critical checks passed with $WARNINGS warning(s)${NC}" exit 0 else - echo -e "${RED}✗ Found $ERRORS error(s) and $WARNINGS warning(s)${NC}" + echo -e "${RED}✗ Found $TOTAL_ERRORS error(s) and $WARNINGS warning(s)${NC}" + if [ $PERMISSION_ERRORS -gt 0 ]; then + echo -e "${YELLOW} ($PERMISSION_ERRORS permission error(s))${NC}" + fi echo "" echo "Please fix the errors listed above before deploying." + echo "Run: ./secubox-tools/fix-permissions.sh --local" exit 1 fi