From 744dea00ca15ee4a42d58848d658d50a4538e312 Mon Sep 17 00:00:00 2001
From: Scruel Tao <me@scruel.com>
Date: Wed, 8 May 2024 02:56:21 +0800
Subject: [PATCH 1/6] feat: guide user to run script as root to create temp
 admin user

Message text and comment optimized
---
 deploy/synology_dsm.sh | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index 342fb32e..e6f44e8d 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -39,7 +39,7 @@
 ################################################################################
 # Dependencies:
 # - curl
-# - synouser & synogroup (When available and SYNO_USE_TEMP_ADMIN is set)
+# - synouser & synogroup & synosetkeyvalue (Required for SYNO_USE_TEMP_ADMIN=1)
 ################################################################################
 # Return value:
 # 0 means success, otherwise error.
@@ -66,14 +66,17 @@ synology_dsm_deploy() {
   _getdeployconf SYNO_DEVICE_NAME
 
   # Prepare to use temp admin if SYNO_USE_TEMP_ADMIN is set
-  _debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
   _getdeployconf SYNO_USE_TEMP_ADMIN
   _check2cleardeployconfexp SYNO_USE_TEMP_ADMIN
   _debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
 
   if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
-    if ! _exists synouser || ! _exists synogroup; then
-      _err "Tools are missing for creating temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
+    if ! _exists synouser || ! _exists synogroup || ! _exists synosetkeyvalue; then
+      _err "Missing required tools to creat temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
+      return 1
+    fi
+    if synouser --help 2>&1 | grep -q 'Permission denied'; then
+      _err "For creating temp admin user, the deploy script must be run as root."
       return 1
     fi
 
@@ -184,7 +187,7 @@ synology_dsm_deploy() {
         _debug SYNO_LOCAL_HOSTNAME "${SYNO_LOCAL_HOSTNAME:-}"
         if [ "$SYNO_LOCAL_HOSTNAME" != "1" ] && [ "$SYNO_LOCAL_HOSTNAME" == "$SYNO_HOSTNAME" ]; then
           if [ "$SYNO_HOSTNAME" != "localhost" ] && [ "$SYNO_HOSTNAME" != "127.0.0.1" ]; then
-            _err "SYNO_USE_TEMP_ADMIN=1 Only support locally deployment, if you are sure that hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
+            _err "SYNO_USE_TEMP_ADMIN=1 only support local deployment, though if you are sure that the hostname $SYNO_HOSTNAME is targeting to your **current local machine**, then execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
             return 1
           fi
         fi
@@ -201,7 +204,7 @@ synology_dsm_deploy() {
             # shellcheck disable=SC2086
             synogroup --member administrators $cur_admins $SYNO_USERNAME >/dev/null
           else
-            _err "Tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
+            _err "The tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
             return 1
           fi
         else
@@ -212,7 +215,7 @@ synology_dsm_deploy() {
         otp_enforce_option=$(synogetkeyvalue /etc/synoinfo.conf otp_enforce_option)
         if [ -n "$otp_enforce_option" ] && [ "${otp_enforce_option:-"none"}" != "none" ]; then
           synosetkeyvalue /etc/synoinfo.conf otp_enforce_option none
-          _info "Temporary disabled enforce 2FA-OTP to complete authentication."
+          _info "Temporary disabled enforce 2FA-OTP to complete temp admin authentication."
           _info "previous_otp_enforce_option" "$otp_enforce_option"
         else
           otp_enforce_option=""
@@ -230,7 +233,7 @@ synology_dsm_deploy() {
   error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
   _debug2 error_code "$error_code"
   # Account has 2FA-OTP enabled, since error 403 reported.
-  # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_Administration_CLI_Guide.pdf
+  # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Os/DSM/All/enu/DSM_Login_Web_API_Guide_enu.pdf
   if [ "$error_code" == "403" ]; then
     if [ -z "$SYNO_DEVICE_NAME" ]; then
       printf "Enter device name or leave empty for default (CertRenewal): "
@@ -274,12 +277,16 @@ synology_dsm_deploy() {
       _err "Failed to authenticate with provided 2FA-OTP code, please try again in a new terminal window."
     elif [ "$error_code" == "406" ]; then
       if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
-        _err "SYNO_USE_TEMP_ADMIN=1 is not supported if enforce auth with 2FA-OTP is enabled."
+        _err "Failed with unexcepted error, please report this by providing full log with '--debug 3'."
       else
         _err "Enforce auth with 2FA-OTP enabled, please configure the user to enable 2FA-OTP to continue."
       fi
-    elif [ "$error_code" == "400" ] || [ "$error_code" == "401" ] || [ "$error_code" == "408" ] || [ "$error_code" == "409" ] || [ "$error_code" == "410" ]; then
-      _err "Failed to authenticate with a non-existent or disabled account, or the account password is incorrect or has expired."
+    elif [ "$error_code" == "400" ]; then
+      _err "Failed to authenticate, no such account or incorrect password."
+    elif [ "$error_code" == "401" ]; then
+      _err "Failed to authenticate with a non-existent account."
+    elif [ "$error_code" == "408" ] || [ "$error_code" == "409" ] || [ "$error_code" == "410" ]; then
+      _err "Failed to authenticate, the account password has expired or must be changed."
     else
       _err "Failed to authenticate with error: $error_code."
     fi
@@ -293,7 +300,7 @@ synology_dsm_deploy() {
   _debug SynoToken "$token"
   if [ -z "$sid" ] || [ -z "$token" ]; then
     # Still can't get necessary info even got no errors, may Synology have API updated?
-    _err "Unable to authenticate to $_base_url, you may report the full log to the community."
+    _err "Unable to authenticate to $_base_url, you may report this by providing full log with '--debug 3'."
     _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
     return 1
   fi
@@ -331,7 +338,7 @@ synology_dsm_deploy() {
     if [ "$error_code" -eq 105 ]; then
       _err "Current user is not administrator and does not have sufficient permission for deploying."
     else
-      _err "Failed to fetch certificate info with error: $error_code, please try again or contact Synology to learn more."
+      _err "Failed to fetch certificate info: $error_code, please try again or contact Synology to learn more."
     fi
     _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
     return 1

From 47ccb2848215a7733ff5cfc5d8e967722e35d5cc Mon Sep 17 00:00:00 2001
From: Scruel Tao <me@scruel.com>
Date: Wed, 8 May 2024 04:46:51 +0800
Subject: [PATCH 2/6] chore: typo

---
 deploy/synology_dsm.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index e6f44e8d..a9057a57 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -187,7 +187,7 @@ synology_dsm_deploy() {
         _debug SYNO_LOCAL_HOSTNAME "${SYNO_LOCAL_HOSTNAME:-}"
         if [ "$SYNO_LOCAL_HOSTNAME" != "1" ] && [ "$SYNO_LOCAL_HOSTNAME" == "$SYNO_HOSTNAME" ]; then
           if [ "$SYNO_HOSTNAME" != "localhost" ] && [ "$SYNO_HOSTNAME" != "127.0.0.1" ]; then
-            _err "SYNO_USE_TEMP_ADMIN=1 only support local deployment, though if you are sure that the hostname $SYNO_HOSTNAME is targeting to your **current local machine**, then execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
+            _err "SYNO_USE_TEMP_ADMIN=1 only support local deployment, though if you are sure that the hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
             return 1
           fi
         fi

From 1dbc58d4e0de6a0c1fd8fd02937b5a7313db95c4 Mon Sep 17 00:00:00 2001
From: Scruel Tao <me@scruel.com>
Date: Wed, 8 May 2024 14:01:43 +0800
Subject: [PATCH 3/6] chore: optimize more msgs

---
 deploy/synology_dsm.sh | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index a9057a57..acac9d1e 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -73,6 +73,7 @@ synology_dsm_deploy() {
   if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
     if ! _exists synouser || ! _exists synogroup || ! _exists synosetkeyvalue; then
       _err "Missing required tools to creat temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
+      _err "Notice: temp admin user authorization method only supports local deployment on DSM."
       return 1
     fi
     if synouser --help 2>&1 | grep -q 'Permission denied'; then
@@ -211,11 +212,14 @@ synology_dsm_deploy() {
           _err "Unsupported synogroup tool detected, please set SYNO_USERNAME and SYNO_PASSWORD instead."
           return 1
         fi
-        # havig a workaround to temporary disable enforce 2FA-OTP
+        # havig a workaround to temporary disable enforce 2FA-OTP, will restore
+        # it soon (after a single request), though if any accident occurs like
+        # unexpected interruption, this setting can be easily reverted manually.
         otp_enforce_option=$(synogetkeyvalue /etc/synoinfo.conf otp_enforce_option)
         if [ -n "$otp_enforce_option" ] && [ "${otp_enforce_option:-"none"}" != "none" ]; then
           synosetkeyvalue /etc/synoinfo.conf otp_enforce_option none
-          _info "Temporary disabled enforce 2FA-OTP to complete temp admin authentication."
+          _info "Enforcing 2FA-OTP has been disabled to complete temp admin authentication."
+          _info "Notice: it will be restored soon, if not, you can restore it manually via Control Panel."
           _info "previous_otp_enforce_option" "$otp_enforce_option"
         else
           otp_enforce_option=""

From 60569fdd8375d5a8f67d3a965e604e494c0d9e0e Mon Sep 17 00:00:00 2001
From: Scruel Tao <me@scruel.com>
Date: Sun, 14 Jul 2024 15:04:43 +0800
Subject: [PATCH 4/6] fix(deploy): respect api path with synology Auth API

fix #5184
---
 deploy/synology_dsm.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/deploy/synology_dsm.sh b/deploy/synology_dsm.sh
index 342fb32e..b98105c2 100644
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -169,7 +169,7 @@ synology_dsm_deploy() {
       _debug3 H1 "${_H1}"
     fi
 
-    response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DEVICE_ID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+    response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DEVICE_ID" "$_base_url/webapi/$api_path?enable_syno_token=yes")
     _debug3 response "$response"
   # ## END ## - DEPRECATED, for backward compatibility
   # If SYNO_DEVICE_ID or SYNO_OTP_CODE is set, we treat current account enabled 2FA-OTP.
@@ -218,7 +218,7 @@ synology_dsm_deploy() {
           otp_enforce_option=""
         fi
       fi
-      response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes")
+      response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes")
       if [ -n "$SYNO_USE_TEMP_ADMIN" ] && [ -n "$otp_enforce_option" ]; then
         synosetkeyvalue /etc/synoinfo.conf otp_enforce_option "$otp_enforce_option"
         _info "Restored previous enforce 2FA-OTP option."

From 7ae0d0caa30a882f320028d4e2943ab060b40897 Mon Sep 17 00:00:00 2001
From: allddd <117767298+allddd@users.noreply.github.com>
Date: Thu, 18 Jul 2024 21:57:22 +0200
Subject: [PATCH 5/6] dns_porkbun: remove stray backslashes

---
 dnsapi/dns_porkbun.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dnsapi/dns_porkbun.sh b/dnsapi/dns_porkbun.sh
index c260c898..0a443855 100644
--- a/dnsapi/dns_porkbun.sh
+++ b/dnsapi/dns_porkbun.sh
@@ -93,7 +93,7 @@ dns_porkbun_rm() {
       _err "Delete record error."
       return 1
     fi
-    echo "$response" | tr -d " " | grep '\"status\":"SUCCESS"' >/dev/null
+    echo "$response" | tr -d " " | grep '"status":"SUCCESS"' >/dev/null
   fi
 
 }

From 6b6faa8129281f03ce160c30af2c02dfe3050a26 Mon Sep 17 00:00:00 2001
From: oittaa <8972248+oittaa@users.noreply.github.com>
Date: Sat, 20 Jul 2024 13:31:53 +0200
Subject: [PATCH 6/6] _checkSudo: [ -z "__INTERACTIVE" ] should be [ -z
 "$__INTERACTIVE" ]

Fixes #5216
---
 acme.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acme.sh b/acme.sh
index c3564e68..ee2517c2 100755
--- a/acme.sh
+++ b/acme.sh
@@ -7139,7 +7139,7 @@ _processAccountConf() {
 }
 
 _checkSudo() {
-  if [ -z "__INTERACTIVE" ]; then
+  if [ -z "$__INTERACTIVE" ]; then
     #don't check if it's not in an interactive shell
     return 0
   fi