Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Adding and deleting a custom service no longer results in an error message.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- All the icons appear as before in both light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- The icons appears as before in the app page in light/dark themes.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- The icons appears as before on the add/edit/delete buttons in light/dark
themes.
- The icon appears as before on the error message.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Drop unnecessary inkscape markup.
- Ensure that all the SVGs have viewBox='' attribute.
- Drop unnecessary id='' attributes.
- Prefix all IDs with 'autoidmagic-'. This will be replaced with a random string
for each inlining in HTML to avoid duplicate IDs.
Tests:
- All SVGs appear the same as before.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Remove the following warnings when running functional tests.
plinth/modules/calibre/tests/test_functional.py:13: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.sso, pytest.mark.calibre]
plinth/modules/kiwix/tests/test_functional.py:15: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.sso, pytest.mark.kiwix]
plinth/modules/searx/tests/test_functional.py:9: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.searx, pytest.mark.sso]
plinth/modules/syncthing/tests/test_functional.py:11: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.syncthing, pytest.mark.sso]
plinth/modules/transmission/tests/test_functional.py:13: PytestUnknownMarkWarning: Unknown pytest.mark.sso - is this a typo? You can register custom marks to avoid this warning - for details, see https://docs.pytest.org/en/stable/how-to/mark.html
pytestmark = [pytest.mark.apps, pytest.mark.transmission, pytest.mark.sso]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Fixes: #2568.
When Let's Encrypts events are fired for all applications, they happen on apps
that install as well. They have not been a problem so far because seem to
succeed always. However, ejabberd recently changed to having '*' for list of
domains accepted and also has non-root account for certificate ownership. This
combination causes a certificate operation to fail as the package 'ejabberd' is
not installed and 'ejabberd' user is not available. Fix this by making limiting
certificate operations to apps that have been installed.
Tests:
- Add a new domain name to a production FreedomBox using the Dynamic DNS
'tester' account. 'ejabberd' app should not be installed. LE events fire and a
log message showing failure is noticed. All the events after the failure for
other apps also succeed. The failure is a minor and contained to ejabberd.
- Apply the patch and revoke the certificate. LE event is fired on all other
installed apps but not on ejabberd. No error is logged.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Django's request.get_host() use X_FORWARDED_HOST when appropriate and falls
back to HTTP_HOST. In case of FreedomBox due to 'ProxyPreserveHost On' in Apache
configuration, both the values are the same. So, it makes no difference.
- Also document the need for 'ProxyPreserveHost On' in another validation.
Tests:
- Log the value of request_host, request.META['HTTP_HOST'], and
request.META['X_FORWARDED_HOST'] in DiscoverIDPView:get(). All the values are
same when accessing with IP address value not starting with 127.0.0.1.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Update download link to .exe provided by WireGuard.
A utility that downloads, verifies and executes provided MSIs.
source: https://www.wireguard.com/install/
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Link to the F-Droid WireGuard package returns 404 Not Found.
WireGuard seems to no longer be packaged by F-Droid.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Since FreedomBox does not depend on the package anymore, unattended-upgrades
will remove the package. This causes Apache2 to fail to start. Disable the
module from Apache2 configuration.
Tests:
- Remove the libapache2-mod-auth-pubtkt package. Re-run apache app setup by
incrementing it version number. Apache will fail to start. Apply the patch and
increment the version number. auth_pubtkt module will be disabled and Apache is
automatically running again.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Clear out the directory /var/cache/apache2/mod_auth_openidc/metadata/. Then
run diagnostics on Calibre app without the patch. Several URLs fail because 404
has been returned on <domain>/calibre URL. With the patch the diagnostics
succeed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- 'make install' removes enabled sso module
- Already logged in users stay logged in after update
- Apps need to re-authenticate of update (but this is transparent)
- Login and logout work as expected
- Failed login attempts lead to CAPTCHA form
- CAPTCHA form can't be skipped
- Answering CAPTCHA form will lead back to login page
- Users functional tests work
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Migrate old configuration file to new format.
Tests:
- Admin user is able to access a share.
- User belonging to a group allowed to access the share is able to access the
application.
- Regular user is not able to access the application.
- Anonymous user is not able to access the application.
- Setup is run after applying patches.
- Old shares are migrated from old style auth from authpubtkt to oidc. Name,
path, is_public, groups are presevered
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Regression: Users who to don't have git-access permission can't access the
public repositories.
Tests:
- Functional tests work.
- Admin user is able to view and access the repos when there are some public
repos and when there no public repos.
- User belonging to git-access are regular usrs are unable to access private
repos. But they are also not able to access the public repos. They have to
logout to be able to do that.
- Anonymous user is not able to access the application if all repos are private.
If there is at least one public repo, the repo listing can be accessed and
public repos can be seen and accessed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Application is not installable in stable and testing. It is not functional in
unstable.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests work.
- Admin user is able to access the application
- User belonging to special group is able to access the application
- Regular user is not able to access the application
- Anonymous user is not able to access the application
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Use the excellent Apache module auth_openidc.
- Implement macros that can be easily used to configure OpenID Connect.
Tests:
- Accessing /freedombox/apache/discover-idp/ shows
- 'method' other than 'get' throw a 'bad request' error
- oidc_callback should match host. Otherwise 'bad request' error is raised.
- Mismatched host header is not allowed
- Invalid domain setup is not allowed
- target_link_uri is returned as is
- method is returned as is and only 'get' is allowed.
- x_csrf is returned as is
- oidc_scopes is returned as 'email freedombox_groups'
- HTTP request is answered and not redirected to https
- When logging in with OIDC, authorization is skipped. When authorization is
shown, it is shown as 'Web app protected by FreedomBox'.
- libapache2-mod-auth-openidc is added a dependency for freedombox package. It
is installable in stable, testing, and unstable distributions.
- On applying patches, Apache setup configuration is run and OpenIDC component
is created.
- When patches are applied and setup install is run, auth_openidc module,
10-freedombox, freedombox-openidc config is enabled in Apache.
- When setup is rerun, passphrase is not changed
- metadata directory and parent are created when apache setup is run. Mode is
0o700 and ownership is www-data.
- freedombox-openidc is created when apache setup is run and has 0o700
permissions.
- Metadata directory will contain the client id and client passphrase when
discovery happens for a particular domain.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add a component to easily manage registration of client applications.
Tests:
- Package build is successful has dependency on python3-django-auto-toolkit
- python3-django-oauth-toolkit can be installed on stable, testing and unstable
containers
- /.well-known/openid-configuration and /.well-known/jwks.json are servered
properly.
- /o/ URLs don't require login to access
- When logging in list of claims includes 'sub', email, freedombox_groups.
- Logging in using IP address works. Also works with a port.
- Logging in using 127.0.0.1 address works. Also works with a port.
- Logging in using localhost works. Also works with a port.
- Logging in with IPv6 address works. Also works with a port.
- Logging in with IPv6 [::1] address works. Also works with a port.
- Logging in with IPv6 link-local address with zone ID is not possible (as
browsers don't support them).
- When authorization page is enabled, scopes show description as expected.
- When domain name is added/removed, all OIDC components are updated with
expected domains
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
In some cases, we are visiting / and expecting to reach the home page of
FreedomBox UI. When due to failed tests in config app, the home page is set to
something other than FreedomBox UI, these tests fail. Fix this by visiting
/freedombox explicitly instead.
Tests:
- When hope page is set to Syncthing, kiwix functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Since we are going to be an OpenID Provider, we need to fix the URLs that
other apps will be configured with for authentication. So change now from
/plinth to /freedombox. If done later, it will be harder since all the
configuration files for all dependent apps will need to be updated.
Tests:
- App availability checking works. Request goes to /freedombox URL
- Favicon is served properly and through /favicon.ico URL
- Redirection happens from / to /freedombox directly
- UI is available on /freedombox and on /plinth
- Manual page show /freedombox as the URL in two places
- Static files are successfully served from /freedombox URLs. URLs inside page
start with /freedombox
- backup, bepasty, calibre, config, dynamicdns, ejabberd, featherwiki, gitweb,
ikiwiki, kiwix, miniflux, names, openvpn, shadowsocks, shadowsocksserver,
sharing, shapshot, tiddlywiki, users, wireguard, jsxc, matrixsynapse, first
wizard, storage, samba, tags functional tests work. Backup/restore test for
matrixsynapse fails due to an unrelated bug (server not restarted after
restore).
- Setting the home page works:
- Having /plinth in the home page configuration works. Shows selection
correctly.
- Setting to app works. Shows selection correctly.
- Setting to user home page (sets /freedombox). Shows selection correctly.
- Setting to apache default works. Shows selection correctly.
- Changing back to FreedomBox service works. Shows selection correctly.
- Unit tests work
- Configuration page shows /freedombox in description but not /plinth
- Diagnostics show /freedombox in tests
- Roundcube URL link in email app has /freedombox
- email loads the page /.well-known/autoconfig/mail/config-v1.1.xml correctly
- email app shows /freedombox/apps/roundcube for /roundcube if roundcube is not
installed.
- networks: router configuration page shows URL starting with /freedombox.
- snapshot: Shows URL starting with /freedombox on the app page
- js licenses page uses /freedombox prefix for JSXC.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Use the recommended configuration from Matrix Synapse documentation.
- Preserve Host: header.
- Set the X-Forwarded-Proto header.
- Don't decode encoded slashes in the URLs during proxying.
- Also proxy Synapse client API.
Tests:
- Web app at app.element.io is able to connect to a local server using browser.
Two client can chat with each other.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- They are not useful.
Tests:
- All the modified SVG files load and show as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes: #2562
Newer miniflux package does not create a separate file called
/etc/miniflux/database. Instead it write the database URL directly into
/etc/miniflux/miniflux.conf. It is easier to create the database settings from
dbconfig-common that to read them from miniflux.conf.
Signed-off-by: Frederico Gomes <fredericojfgomes@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This reverts commit 9af9a504e09b8021041a7d8fe4540574f42edc1c.
This workaround is no longer needed as the file is no longer used.
Reverted as per:
https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2752#note_728315
**plinth/modules/miniflux/__init__.py**
- Keep version bump
**plinth/modules/miniflux/privileged.py**
- Keep docstring fix
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Currently, the value is hard-coded as /24. Instead take this as input and use
that value.
Tests:
- Entering invalid IPv4 address results in 'Enter a valid IPv4 address' error
message during form submission.
- Entering invalid prefix such as /33 results in 'Enter a valid network prefix
or net mask.' error during form submission.
- Both /32 and /255.255.255.255 formats are accepted.
- The description text for the form field 'IP address' is as expected.
- Changing the value of default route and IP address + netmask reflects in the
status page. Correct values is shown in the edit server and server status page.
- Not providing a netmask results in /32 being assigned.
- Unit and functional tests for wireguard pass. There are some intermittent
failures with functional tests that are unrelated to the patch.
- Setting the /32 prefix results in correct routing table as shown by 'ip route
show table all'. No default routes are network routes are present. 'traceroute
1.1.1.1' shows route taken via regular network.
- Setting the /24 prefix results in correct routing table. No default routes are
present. However, for the /24 network a route is present with device wg1.
'traceroute 1.1.1.1' shows route taken via regular network.
- Enabling the default route results in correct routing table. Default route is
shown for device wg1 with high priority. 'traceroute 1.1.1.1' shows route taken
via WireGuard network.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Create a server connection with default route setting 'on'. See that the
server status page reflects the value correctly. Repeat for 'off'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
