From 209e9c681e18cc6b6e7954a7487e8922cfb8c38c Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Wed, 26 Apr 2023 06:15:27 -0700
Subject: [PATCH] transmission: Allow remote UIs to connect

- Reload apache for new configuration

- Increment app version to ensure new apache configuration is load immediately
after FreedomBox version upgrade.

- Don't re-enable a disabled app during app version upgrade.

- Update description to talk about the remote RPC URL for apps.

Tests:

- Use tremotesf client on LineageOS to connect on the URL /transmission-remote.

- Install transmission app freshly and notice that webserver reload was called
only once. Remote GUI is working.

- Install transmission without patches. Disable app. Apply patches, notice that
webserver was not reloaded. Enable and remote GUI is working.

- Install transmission without patches. Enable app. Apply patches, notice that
webserver was reloaded and remote GUI is working.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 plinth/modules/transmission/__init__.py       | 15 +++++++--
 .../conf-available/transmission-plinth.conf   | 31 ++++++++++++++++---
 2 files changed, 38 insertions(+), 8 deletions(-)

diff --git a/plinth/modules/transmission/__init__.py b/plinth/modules/transmission/__init__.py
index ec8755db2..0d3fce080 100644
--- a/plinth/modules/transmission/__init__.py
+++ b/plinth/modules/transmission/__init__.py
@@ -33,6 +33,12 @@ _description = [
         _('It can be accessed by <a href="{users_url}">any user</a> on '
           '{box_name} belonging to the bit-torrent group.'),
         box_name=_(cfg.box_name), users_url=reverse_lazy('users:index')),
+    format_lazy(
+        _('In addition to the web interface, mobile and desktop apps can also '
+          'be used to remotely control Transmission on {box_name}. To '
+          'configure remote control apps, use the URL '
+          '<a href="/transmission-remote/rpc">/transmission-remote/rpc</a>.'),
+        box_name=_(cfg.box_name)),
     format_lazy(
         _('<a href="{samba_url}">Samba</a> shares can be set as the '
           'default download directory from the dropdown menu below.'),
@@ -51,7 +57,7 @@ class TransmissionApp(app_module.App):
 
     app_id = 'transmission'
 
-    _version = 5
+    _version = 6
 
     DAEMON = 'transmission-daemon'
 
@@ -97,7 +103,8 @@ class TransmissionApp(app_module.App):
         self.add(firewall_local_protection)
 
         webserver = Webserver('webserver-transmission', 'transmission-plinth',
-                              urls=['https://{host}/transmission'])
+                              urls=['https://{host}/transmission'],
+                              last_updated_version=6)
         self.add(webserver)
 
         daemon = Daemon(
@@ -131,4 +138,6 @@ class TransmissionApp(app_module.App):
         }
         privileged.merge_configuration(new_configuration)
         add_user_to_share_group(SYSTEM_USER, TransmissionApp.DAEMON)
-        self.enable()
+
+        if not old_version:
+            self.enable()
diff --git a/plinth/modules/transmission/data/etc/apache2/conf-available/transmission-plinth.conf b/plinth/modules/transmission/data/etc/apache2/conf-available/transmission-plinth.conf
index 31dfacb53..b50c4be35 100644
--- a/plinth/modules/transmission/data/etc/apache2/conf-available/transmission-plinth.conf
+++ b/plinth/modules/transmission/data/etc/apache2/conf-available/transmission-plinth.conf
@@ -7,11 +7,24 @@
 ##   mod_proxy_http
 ##
 <Location /transmission>
-    ProxyPass        http://localhost:9091/transmission
-    Include          includes/freedombox-single-sign-on.conf
-    <IfModule mod_auth_pubtkt.c>
-        TKTAuthToken "admin" "bit-torrent"
-    </IfModule>
+    ProxyPass http://localhost:9091/transmission
+
+    # If a client sends 'Authorization' HTTP Header, perform Basic authorization
+    # using LDAP, otherwise redirect to FreedomBox single sign-on. It is not
+    # mandatory for the server to return HTTP 401 with 'WWW-Authenticate'. See
+    # https://datatracker.ietf.org/doc/html/rfc2616#section-14.8
+    <If "-n %{HTTP:Authorization}">
+        Include includes/freedombox-auth-ldap.conf
+        Require ldap-group cn=admin,ou=groups,dc=thisbox
+        Require ldap-group cn=bit-torrent,ou=groups,dc=thisbox
+    </If>
+    <Else>
+        Include includes/freedombox-single-sign-on.conf
+        <IfModule mod_auth_pubtkt.c>
+            TKTAuthToken "admin" "bit-torrent"
+        </IfModule>
+    </Else>
+
     ## Send the scheme from user's request to enable Transmission to
     ## redirect URLs, set cookies, set absolute URLs (if any)
     ## properly.
@@ -28,3 +41,11 @@
         RewriteRule .* /transmission/web/ [R=302,L]
     </IfModule>
 </Location>
+
+# LDAP only authentication for Transmission remote UIs.
+<Location /transmission-remote>
+    ProxyPass http://localhost:9091/transmission
+    Include includes/freedombox-auth-ldap.conf
+    Require ldap-group cn=admin,ou=groups,dc=thisbox
+    Require ldap-group cn=bit-torrent,ou=groups,dc=thisbox
+</Location>