Tests:
- Visiting the 'Manage passkeys' page show the learn more link. Clicking on the
link shows the page for passkeys guide.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Login
- Login using passkeys works on testing container and stable container.
- Login page show 'Log in with passkey' button as expected along with key
icon.
- On GNOME's Web browser, the login page does not show an error on load.
Clicking on 'Log in with passkey' shows the error: 'Logging in with passkey
failed: Browser does not support passkeys.'
- On Chromium browser, with invalid TLS certficiate, the login page does not
show an error on load. Clicking on 'Log in with passkey' shows the error:
'Logging in with passkey failed: NotAllowedError: WebAuthn is not supported
on sites with TLS certificate errors.'
- Raising an error in the passkey_login_begin() method shows the error message
when login page is loaded. Raising an error in the passkey_login_complete
method shows the error message after passkey is unlocked. In both cases, 500
is HTTP status code.
- With primary hardware key register passkey each for 'tester' and 'tester2'
accounts.
- With secondary hardware key register passkey for 'tester' account.
- In login page, loading the page shows the console message 'Signing in with a
passkey. Condition: true'.
- In login page, when username field is clicked, 'passkey' is shown in the
autofill popup options. Selecting it prompts for hardware PIN and touch.
User is logged in.
- In login page, when 'Log in with passkey' is clicked, console message is
show 'Log in initiated with button, conditional mediation aborted.'.
Hardware PIN and touch is prompted. User is logged in.
- During autofill login, canceling the hardware key PIN shows no error alert.
Autofill passkey login is not available.
- During autofill login, canceling the hardware touch prompt shows no error
alert. Autofill passkey login is not available.
- During button login, canceling the hardware key PIN shows '...user denied
permission' error alert. Autofill passkey login is not available.
- During button login, canceling the hardware touch prompt shows no '...user
denied permission' error alert. Autofill passkey login is not available.
- When multiple attempts fail, multiple error alerts are shown.
- During login, with primary key account selection dialog is shown. Selecting
'tester' logs into 'tester' account. Selecting 'tester2' logs into 'tester2'
account.
- During login, with secondary key, account selection dialog is not shown.
User is logged into the 'tester' account.
- Password based login continues to work as usual on Firefox, Chromium, and
GNOME's web.
- Logout, then visit /freedombox/sys/. This redirects to login page. After
login with passkey the browser is redirected to /freedombox/sys page.
- After passkey login, 'Last Used' for that key is updated. The value is not
updated for remaining keys of the account.
- After successful login, database is updated with the latest signature
counter.
- After successful login, for a user account with Spanish set as language, the
UI language changes to Spanish.
- If a key has been removed from list of passkeys and that passkey is
attempted for login, 'Passkey used is not known' error alert is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Setup: add domain name mystable.example. Add an entry in /etc/hosts on the
test machine. In Firefox, in about:config, set
'security.webauthn.allow_with_certificate_override' to 'true'.
- Registration
- Passkey successful registration:
- After passkey registration, created time is time at which key is created.
- After passkey registration, domain is the domain with which the interface
is accessed at the time of addition of passkey.
- After passkey registration, Added and Last Used columns show the current
time in UTC. Signature counter and extensions and aaguid values in the DB
are as expected.
- First key's name is 'Key 1'. After that it is 'Key 2' and so on. If a key
is renamed as 'Key 4', then next key will be named 'Key 5'.
- Registering passkeys using testing container stable container works.
- Links:
- 'Manage passkeys' link is show in the user menu in navbar in both desktop
mode and mobile mode. Clicking on it redirects the browser to current
user's passkey management page.
- User's edit page shows 'Use passkeys for better security'. Clicking on the
link redirects the browser to passkey management page for the user who's
account is being edited.
- Listing:
- All passkeys are show properly. Name, domain, added, last used, and
operations show correctly.
- When using a browser without Javascript script shows an error alert.
- If not passkeys are present "No passkeys added to user account." message
is shown.
- Editing the passkey shows correct page. Title, heading, form labels, form
value, and buttons are as expected. After editing, passkey is updated
properly.
- Deleting the passkey shows a model dialog with correct details. After
confirmation, passkey is removed and page is refreshed.
- Error handling:
- On GNOME's Web, clicking the 'Add Passkey' shows the error 'Browser does
not support passkeys'.
- On Chromium, clicking the 'Add passkey' shows the error 'NotAllowedError:
WebAuthn is not supported on sites with TLS certificate errors.'
- Raising an error in passkey_add_begin() results in correct error message
shown with 'Add passkey' button is clicked. Status code is 500.
- Raising an error in passkey_add_complete() results in correct error
message shown after unlocking the hardware token. Status code is 500.
- Canceling the PIN dialog results in '...user denied permission' error
alert.
- Canceling the touch dialog results in '...user denied permission' error
alert.
- Multiple failed attempts result in multiple alerts being shown at the same
time.
- Editing another user's passkeys:
- Listing passkeys show correct list of passkeys for the user account being
managed.
- Adding passkeys adds correctly to the user account being managed.
- Editing passkey correctly edits passkey of the user account being managed.
Redirect happens to the correct page after.
- Deleting passkey correctly edits passkey of the user account being
managed. Redirect happens to the correct page after.
- If a non-admin user tries to access passkeys list/edit/delete URL of
another user, 403 Forbidden error is raised
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- systemd-run --pipe
--property=BindReadOnlyPaths=/usr/share/freedombox/etc/needrestart/conf.d/freedombox-self.conf:/etc/needrestart/conf.d/freedombox-self.conf
ls -la /etc/needrestart/conf.d/ shows that the new configuration is listed as
expected.
- Running about command with 'cat /etc/needrestart/conf.d/freedombox-self.conf'
shows that configuration content is as expected.
- Running functional tests for coturn app work as expected. systemd journal
shows that transient services are being created to run apt commands.
- After the execution of an operation an empty file is created as
/etc/needrestart/conf.d/freedombox-self.conf.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[Sunil]:
- Drop Uwsgi component entirely. After the changes, it mostly looks like Daemon
component minus some features. One change that Uwsgi component does is when
component is disabled, it also stops and disables the .service unit. Stopping
the service is useful and we can add this to Daemon component.
- Use /run instead of /var/run/ as 1) /var/run is a symlink to /run 2) /run/
path is what is listed in uwsgi-app@.socket unit file.
- Implement upgrade for apps from older version. Disable and mask uwsgi init.d
script. Enable the daemon component if the webserver component is enabled.
- Update manifest files to deal with .socket units instead of 'uwsgi' service.
Backup the /var/lib/private directories as that is actual directory to backup
with DynamicUser=yes.
- For bepasty load the configuration as a systemd provided credential since
DynamicUser=yes.
- Remove the /var/lib/private directories during uninstall.
- Don't create user/group for bepasty as it is not needed with DynamicUser=yes.
Tests:
- Radicale
- Functional tests pass
- Freshly install radicale.
- Web interface works.
- Create and edit calendars
- Path of the storage directory is in /var/lib/private/radicale (after
accessing web interface)
- Permissions on the storage folder and files inside are set to nobody:nobody.
- Uninstall removes the /var/lib/private/radicale directory.
- Create a calender and backup the app. Uninstall the app. Re-install the app.
The calendar is not available. After restoring the backup, the calendar is
available.
- Install radicale without patch and create a calendar. Apply patches and
start plinth.service. Setup is run. UWSGI is disabled and masked. Service is
running. Old calender is visible.
- Install radicale without patch. Disable and apply patches and start
plinth.service. Setup is run. UWSGI is disabled and masked. Service is not
running. Enabling the service works.
- After upgrade, data storage path got migrated to /var/lib/private/radicale.
Old data is accessible.
- After upgrade the directory is still owned by radicale:radicale.
- Freshly install radicale with patch and restore an old backup. The data is
available in the web interface and data was migrated to
/var/lib/private/radicale.
- Bepasty
- Functional tests pass
- Freshly install bepasy.
- Enabling and disabling rapidly works.
- Uploading files works.
- Path of the storage directory is /var/lib/private/bepasty.
- Permissions on the storage folder are as expect 755 but on the parent are
700.
- Permissions on the stored files are 644 and owned by nobody:nobody.
- Uninstall removes the /var/lib/private/bepasty directory.
- Upload a picture and backup the app. Uninstall the app. Re-install the app.
The uploaded file is not available. After restoring the backup, the uploaded
file is available.
- Install bepasty without patch and upload a file. Apply patches and start
plinth.service. Setup is run. UWSGI is disabled and masked. Service is
running. Old uploaded picture is visible.
- Install bepasty without patch. Disable app. Apply patches and start
plinth.service. Setup is run. UWSGI is disabled and masked. Service is not
running. Enabling the service works.
- After upgrade, data storage path got migrated to /var/lib/private/bepasty.
Old data is accessible.
- After upgrade the directory is still owned by bepasty:bepasty.
- Freshly install bepasty with patch and restore an old backup. The uploaded
file is available in the web interface and data was migrated to
/var/lib/private/bepasty.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Without patch, open FeatherWiki wiki and save after 5 minutes. Save fails.
- Apply the patch, Apache app setup is run and mod_auth_openidc configuration
is updated. Open FeatherWiki wiki and save after 5 minutes. Save works, wiki
contents are saved.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
In the upstream demo, https://janus.conf.meetecho.com/demos/videoroom.html, the
font-awesome glyphicons were only being used to show the 'user' icon next to
alias text field. We have replaced that with a simple unicode character. We also
seem to have dropped the dependency on Debian package. However, we seem to
forgotten to remove the inclusion of the JS file. This leads to a 404 error when
loading Janus room.
Tests:
- The page loads and works as expected. The 'user' icon shows up. There are no
404 errors in the browser console.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Adding and deleting a custom service no longer results in an error message.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- The icons appears as before in the app page in light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- The icons appears as before on the add/edit/delete buttons in light/dark
themes.
- The icon appears as before on the error message.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Drop unnecessary inkscape markup.
- Ensure that all the SVGs have viewBox='' attribute.
- Drop unnecessary id='' attributes.
- Prefix all IDs with 'autoidmagic-'. This will be replaced with a random string
for each inlining in HTML to avoid duplicate IDs.
Tests:
- All SVGs appear the same as before.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Remove the following warnings when running functional tests.
plinth/modules/calibre/tests/test_functional.py:13: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.sso, pytest.mark.calibre]
plinth/modules/kiwix/tests/test_functional.py:15: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.sso, pytest.mark.kiwix]
plinth/modules/searx/tests/test_functional.py:9: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.searx, pytest.mark.sso]
plinth/modules/syncthing/tests/test_functional.py:11: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.syncthing, pytest.mark.sso]
plinth/modules/transmission/tests/test_functional.py:13: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.transmission, pytest.mark.sso]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes: #2568.
When Let's Encrypts events are fired for all applications, they happen on apps
that install as well. They have not been a problem so far because seem to
succeed always. However, ejabberd recently changed to having '*' for list of
domains accepted and also has non-root account for certificate ownership. This
combination causes a certificate operation to fail as the package 'ejabberd' is
not installed and 'ejabberd' user is not available. Fix this by making limiting
certificate operations to apps that have been installed.
Tests:
- Add a new domain name to a production FreedomBox using the Dynamic DNS
'tester' account. 'ejabberd' app should not be installed. LE events fire and a
log message showing failure is noticed. All the events after the failure for
other apps also succeed. The failure is a minor and contained to ejabberd.
- Apply the patch and revoke the certificate. LE event is fired on all other
installed apps but not on ejabberd. No error is logged.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Django's request.get_host() use X_FORWARDED_HOST when appropriate and falls
back to HTTP_HOST. In case of FreedomBox due to 'ProxyPreserveHost On' in Apache
configuration, both the values are the same. So, it makes no difference.
- Also document the need for 'ProxyPreserveHost On' in another validation.
Tests:
- Log the value of request_host, request.META['HTTP_HOST'], and
request.META['X_FORWARDED_HOST'] in DiscoverIDPView:get(). All the values are
same when accessing with IP address value not starting with 127.0.0.1.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Update download link to .exe provided by WireGuard.
A utility that downloads, verifies and executes provided MSIs.
source: https://www.wireguard.com/install/
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Link to the F-Droid WireGuard package returns 404 Not Found.
WireGuard seems to no longer be packaged by F-Droid.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Since FreedomBox does not depend on the package anymore, unattended-upgrades
will remove the package. This causes Apache2 to fail to start. Disable the
module from Apache2 configuration.
Tests:
- Remove the libapache2-mod-auth-pubtkt package. Re-run apache app setup by
incrementing it version number. Apache will fail to start. Apply the patch and
increment the version number. auth_pubtkt module will be disabled and Apache is
automatically running again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
