- Use the excellent Apache module auth_openidc.
- Implement macros that can be easily used to configure OpenID Connect.
Tests:
- Accessing /freedombox/apache/discover-idp/ shows
- 'method' other than 'get' throw a 'bad request' error
- oidc_callback should match host. Otherwise 'bad request' error is raised.
- Mismatched host header is not allowed
- Invalid domain setup is not allowed
- target_link_uri is returned as is
- method is returned as is and only 'get' is allowed.
- x_csrf is returned as is
- oidc_scopes is returned as 'email freedombox_groups'
- HTTP request is answered and not redirected to https
- When logging in with OIDC, authorization is skipped. When authorization is
shown, it is shown as 'Web app protected by FreedomBox'.
- libapache2-mod-auth-openidc is added a dependency for freedombox package. It
is installable in stable, testing, and unstable distributions.
- On applying patches, Apache setup configuration is run and OpenIDC component
is created.
- When patches are applied and setup install is run, auth_openidc module,
10-freedombox, freedombox-openidc config is enabled in Apache.
- When setup is rerun, passphrase is not changed
- metadata directory and parent are created when apache setup is run. Mode is
0o700 and ownership is www-data.
- freedombox-openidc is created when apache setup is run and has 0o700
permissions.
- Metadata directory will contain the client id and client passphrase when
discovery happens for a particular domain.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add a component to easily manage registration of client applications.
Tests:
- Package build is successful has dependency on python3-django-auto-toolkit
- python3-django-oauth-toolkit can be installed on stable, testing and unstable
containers
- /.well-known/openid-configuration and /.well-known/jwks.json are servered
properly.
- /o/ URLs don't require login to access
- When logging in list of claims includes 'sub', email, freedombox_groups.
- Logging in using IP address works. Also works with a port.
- Logging in using 127.0.0.1 address works. Also works with a port.
- Logging in using localhost works. Also works with a port.
- Logging in with IPv6 address works. Also works with a port.
- Logging in with IPv6 [::1] address works. Also works with a port.
- Logging in with IPv6 link-local address with zone ID is not possible (as
browsers don't support them).
- When authorization page is enabled, scopes show description as expected.
- When domain name is added/removed, all OIDC components are updated with
expected domains
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
In some cases, we are visiting / and expecting to reach the home page of
FreedomBox UI. When due to failed tests in config app, the home page is set to
something other than FreedomBox UI, these tests fail. Fix this by visiting
/freedombox explicitly instead.
Tests:
- When hope page is set to Syncthing, kiwix functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Since we are going to be an OpenID Provider, we need to fix the URLs that
other apps will be configured with for authentication. So change now from
/plinth to /freedombox. If done later, it will be harder since all the
configuration files for all dependent apps will need to be updated.
Tests:
- App availability checking works. Request goes to /freedombox URL
- Favicon is served properly and through /favicon.ico URL
- Redirection happens from / to /freedombox directly
- UI is available on /freedombox and on /plinth
- Manual page show /freedombox as the URL in two places
- Static files are successfully served from /freedombox URLs. URLs inside page
start with /freedombox
- backup, bepasty, calibre, config, dynamicdns, ejabberd, featherwiki, gitweb,
ikiwiki, kiwix, miniflux, names, openvpn, shadowsocks, shadowsocksserver,
sharing, shapshot, tiddlywiki, users, wireguard, jsxc, matrixsynapse, first
wizard, storage, samba, tags functional tests work. Backup/restore test for
matrixsynapse fails due to an unrelated bug (server not restarted after
restore).
- Setting the home page works:
- Having /plinth in the home page configuration works. Shows selection
correctly.
- Setting to app works. Shows selection correctly.
- Setting to user home page (sets /freedombox). Shows selection correctly.
- Setting to apache default works. Shows selection correctly.
- Changing back to FreedomBox service works. Shows selection correctly.
- Unit tests work
- Configuration page shows /freedombox in description but not /plinth
- Diagnostics show /freedombox in tests
- Roundcube URL link in email app has /freedombox
- email loads the page /.well-known/autoconfig/mail/config-v1.1.xml correctly
- email app shows /freedombox/apps/roundcube for /roundcube if roundcube is not
installed.
- networks: router configuration page shows URL starting with /freedombox.
- snapshot: Shows URL starting with /freedombox on the app page
- js licenses page uses /freedombox prefix for JSXC.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Use the recommended configuration from Matrix Synapse documentation.
- Preserve Host: header.
- Set the X-Forwarded-Proto header.
- Don't decode encoded slashes in the URLs during proxying.
- Also proxy Synapse client API.
Tests:
- Web app at app.element.io is able to connect to a local server using browser.
Two client can chat with each other.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- They are not useful.
Tests:
- All the modified SVG files load and show as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2562
Newer miniflux package does not create a separate file called
/etc/miniflux/database. Instead it write the database URL directly into
/etc/miniflux/miniflux.conf. It is easier to create the database settings from
dbconfig-common that to read them from miniflux.conf.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This reverts commit 9af9a504e09b8021041a7d8fe4540574f42edc1c.
This workaround is no longer needed as the file is no longer used.
Reverted as per:
https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2752#note_728315
**plinth/modules/miniflux/__init__.py**
- Keep version bump
**plinth/modules/miniflux/privileged.py**
- Keep docstring fix
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Currently, the value is hard-coded as /24. Instead take this as input and use
that value.
Tests:
- Entering invalid IPv4 address results in 'Enter a valid IPv4 address' error
message during form submission.
- Entering invalid prefix such as /33 results in 'Enter a valid network prefix
or net mask.' error during form submission.
- Both /32 and /255.255.255.255 formats are accepted.
- The description text for the form field 'IP address' is as expected.
- Changing the value of default route and IP address + netmask reflects in the
status page. Correct values is shown in the edit server and server status page.
- Not providing a netmask results in /32 being assigned.
- Unit and functional tests for wireguard pass. There are some intermittent
failures with functional tests that are unrelated to the patch.
- Setting the /32 prefix results in correct routing table as shown by 'ip route
show table all'. No default routes are network routes are present. 'traceroute
1.1.1.1' shows route taken via regular network.
- Setting the /24 prefix results in correct routing table. No default routes are
present. However, for the /24 network a route is present with device wg1.
'traceroute 1.1.1.1' shows route taken via regular network.
- Enabling the default route results in correct routing table. Default route is
shown for device wg1 with high priority. 'traceroute 1.1.1.1' shows route taken
via WireGuard network.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Create a server connection with default route setting 'on'. See that the
server status page reflects the value correctly. Repeat for 'off'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The default route is not decided by the subnet on the IP address assigned. It
is to be decided using the list of allowed peers in the wireguard settings.
Tests:
- Set the default route setting to 'on' while creating the connection. In the
edit server page, the value is shown correctly. Repeat with 'off' value.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Show them in multiple lines using <pre> like before.
Tests:
- Multiple endpoints are shown in the one line each using <pre> tag.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2563.
Also see
https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2740
Test:
- Functional tests for gitweb pass.
- Without the patch, install gitweb and enable it. Restart FreedomBox service.
The error message in #2563 is reproduced. With the patch, the error disappears.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2566.
Thanks to joeDoe for helping with identifying the bug and confirming a fix.
- Currently, when multiple domains are configured, only one certificate is
setup. One domains properly and other domains will end up using the certificate
for the configured domain. This leads to domain validation errors on the
client-side.
- Copy certificates for all domains to /etc/ejabberd/letsencrypt directory
whether they are configured for ejabberd or not.
- Use the new certfiles: directive to provide multiple certificates. Don't use
and remove the old s2s_certfile: directive. Migrate old configuration.
Tests:
- Functional tests for ejabberd work.
- Installing ejabberd freshly works. s2s_certfile: is not present in the
configuration file. certfiles: is present with wildcard for LE certs.
- Install ejabberd without the patch. s2s_certfile: is present and certfiles:
does not contain the wildcard for LE certificates. Apply the patch. Setup is
re-run for ejabberd app and succeeds. s2s_certfile: is removed from
configuration file. certfiles: contains wildcard for LE certificates.
/etc/ejabberd/letsencrypt/ contains certificates for all the configured domains
on the system.
- Adding domain works. Certificate for newly configured domain is copied into
the ejabberd LE cert directory. ejabberd daemon is reloaded. hosts: list is updated.
- Removing domain works. Certificate for the old domain is retained in the
ejabberd LE directory. ejabberd daemon is not reloaded.
- Setting the list of domains works. Old certificates are retained in the
ejabberd LE directory. ejabberd daemon is reloaded. hosts: list is updated.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Currently, when adding a server, we have an option for 'default route' but
unchecking it does not work. This is due to allowed_peers always containing
::0/0 and 0.0.0.0/0. Fix this by setting the allowed_peers to a value containing
only the IP of the WireGuard network.
Tests:
- When default routing it checked, routing table shows default route for
wireguard device. Traceroute confirms routing through WireGuard network.
- When default routing it unchecked, routing table does not show default route
for wireguard device. Traceroute confirms routing through regular network.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- When there is an error writing to certificate files, the umask is not reset
properly. Fix this my using umask context manager from action utils. This could
be core reason behind: #2564.
Tests:
- Changing the domain name creates the file /var/lib/quassel/quasselCert.pem
with the proper permissions of 0o600. If in Quassel app's Let's Encrypt component
the certificate file path is changed, then two files are created on domain name
change. Private key is created with 0o600 permissions and certificate file is
created with 0o644 permissions.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2564
Tests:
- Changing the domain name in quassel app page set the expected file
permissions. Changing the value in the code results in file getting created with
changed permissions.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Originally aimed to show server info (public key, endpoints) in a table.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[jvalleroy: Remove trailing spaces]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- When /var/lib/plinth/.ssh is deleted and add remote repository form is
visited, the directory along with SSH key files are created. The .pub file has
the expected comment freedombox@configured_domain.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Provide incorrect passphrase when adding a remote repository. Should show a
message that passphrase is incorrect and redirect back to add remote repository
form.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- As a safe guard although it should exist because of a prior verification of
SSH key.
- Minor refactor to make the method flatter.
Tests:
- Remove /var/lib/plinth/.ssh and visit add remote repository form. The public
key is displayed in the form. The files in /var/lib/plinth/.ssh are created with
expected permissions.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Integrate SSH error handling into borg error handling.
- Move logic to migrate SSH keys into lower levels (Repository class) so that it
can performed at more instances such as when initializing repository. It also
provides better abstraction keeping the view logic simpler.
- Drop ability to mount repository using password. This is important next step
for mounting using systemd unit files.
- Use exceptions to eliminate return value checking.
- Create a special exception for exceptions raised during SSH operations. Raise
this at lower levels and handle these using the common error handler.
Tests:
- Adding a remote repository with key and password authentication works with and
without encryption. Adding works with SSH host key pre-verified works too.
- Trying to add a remote repository with incorrect passpharse fails with the
simplified error message. Redirect happens to add remote repository page. Error
message with SSH host key pre-verified works too. Repository is removed.
- Trying to provide wrong SSH password fails with a simplified error message.
Redirect happens to add remote repository page. Repository is removed.
- Mounting a repository after unmounting it works.
- Mounting a repository with SSH password in its configuration works. Migration
is performed and SSH password is replaced with SSH key file path.
- A schedule for a repository with SSH password runs successfully. An archive is
created. Migration is performed and SSH password is replaced with SSH key file
path.
- SSH identity files are created with plinth:plinth ownership. Private key file
is created with 0o600 permissions and public key file is created with 0o644
permissions.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Adding a remote repository with key and password authentication works with and
without encryption.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- This makes the functional test focus more on the repository that is added
rather than all remote repositories.
Tests:
- Functional tests for backups app works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Use bootstrapform templates where possible to reduce code.
- Fix incorrect tag for radio button for password authentication.
- Drop borders and instead:
- Style each group as a section. This includes encryption section and
repository path section.
- Utilize the simplicity as passwords fields are not displayed.
- Retain <label> tag so that clicking on it works and it also easier for
accessibility tools.
Tests:
- The option for password authentication works are expected. The fields for
encryption passphrase, ssh password work as before.
- Clicking on form labels focuses the form element.
- Adding a repository with key and password authentication works with and
without encryption.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Unlike the case of network forms, for example, there is nothing the user could
infer from a disabled form element. If they see a disabled DNS field, they would
understand that it is an editable value but has been disabled due to other
option values. It is important to allow users to discover this. However, in case
of password fields, they are not needed to be shown to the user unless the
appropriate option is selected.
Tests:
- In the add remote repository form, selecting the authentication type radio
options shows and hides the password field. Selecting the value for encryption
type shows and hides the encryption password field.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- In remote repository add form, selecting radio options for authentication
types does not throw an error. The password field is shown/hidden as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- On main branch, add a remote repository with SSH password. Unmount
the remote location.
- Switch to branch with this change. Mount the remote location. Logs
show that it is migrated from password to key authentication. Plinth
database no longer contains password for this remote.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
- Use javascript to disable or enable password fields.
- If SSH key auth is selected, then try the connection.
- If SSH password auth is selected, then copy the key.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
- After copying the SSH client public key to the remote host, replace
the SSH password credential with keyfile.
- Also use SSH key when checking that remote directory exists.
Tests:
- Add remote backup location "tester@localhost:~backups". Test various
operations like create backup, download backup, unmount and
mount. Confirm that SSH password is no longer present in plinth
sqlite database.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- In development VM, add a remote backup location of "tester@localhost:~/backups".
Verify the SSH host key. plinth@freedombox key is listed in
/home/tester/.ssh/authorized_keys.
- Remove the remote backup location, and delete /home/tester/.ssh/authorized_keys.
Add the same remote backup location again. plinth@freedombox key is again
listed in /home/tester/.ssh/authorized_keys.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Click on Add Remote Backup Location. Logs show that SSH client key is
generated. The private key is readable only by plinth user.
- Go back, and click on Add Remote Backup Location again. Logs show that SSH
client key already exists.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Through code changes, ensure that dist upgrade notification, updated to new
release notification, privacy notification, and app installed notification show
up. Ensure that they have correct hx- attributes and URL property for dismiss
button. Clicking dismiss button works as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- Delete only the <li> of the notification using HTMX.
- Notifications list stays open. User can dismiss another notification.
- Decrement notification counter using JavaScript after removing
notification from the list.
- Added HTMX to every kind of notification.
- Tested dismissing notifications from the top, middle and bottom of the
list.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Update comment format in .js file]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Display the WireGuard server endpoint (ip_address:listen_port)
alongside the public key on the main WireGuard page,
so users configuring clients can copy both values directly.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
[sunil: Keep the docstring]
[sunil: Adjust markup to eliminate <p> inside <p>]
[sunil: Produce a single <pre> tag instead of multiple for multiple domains]
[sunil: Minor refactoring for more concise code]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Install WireGuard and start the server. Uninstall the app and re-install.
Without the patch, the connection remain after uninstall. With the patch, the
connections are removed after uninstall and return to pristine state after
re-install.
- Functional tests succeed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Display the next available IP address that will be
automatically assigned when adding a new client.
Helps admins know what client IP to provide when configuring client
connections back to this server.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
[sunil: Turn the IP address styling into a form element]
[sunil: Update the comment style for consistency]
[sunil: Update the label for clarity]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Adds explicit UI flow to generate server keypair and interface.
- New EnableServerView
- Conditional 'Start Server' button on main page when no wg0
- Button switches to 'Add Client' after server setup
Solves circular dependency UX issue when connecting two FBs
EDIT: Following review feedback, I removed the intermediate
confirmation page.
The “Start WireGuard Server” button now sends a POST
directly from the main page.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[jvalleroy: Change from TemplateView to View]
[jvalleroy: Remove redundant import]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
GitWeb requires authenticated access if there are no public
repositories left.
1. Create a public repository
2. Delete the repository (i.e. delete the last/only repository)
3. GitWeb app shows as disabled, but is still usable
4. If another repository is created, the app becomes enabled again
Not considering the component GitwebWebserverAuth when determining
whether the app is enabled or disabled.
This commit fixes the status shown in the configuration page, but keeps
the authentication requirement if there are no public repositories.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
