Closes: #2476.
- The collapse click logic is triggered when clicking on the schedule button (or
the other buttons). In case of other buttons they do activate eventually but
the schedule button does not activate.
- Solve this properly by making sure that collapse logic is not triggered when
the buttons are clicked.
Tests:
- On stable and testing containers, ensure that collapse works. Collapse/expand
icon works. The three buttons work. And mobile view looks good.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- In current stable and testing, verifying SSH remote hosts using RSA is not
working. After selecting the verified RSA fingerprint, paramiko fails to connect
- A change introduced in paramiko 2.9 lead to failures when connecting to hosts
that have a verified RSA host key[1][2][3]. To fix the issue,
disabled_algorithms must be used to drop some of the other algorithms supported
by the server to force paramiko behavior. A better solution to the problem was
introduced in paramiko 3.2. Both these solutions require careful update to the
code. Considering the utility paramiko provides, the regression annoyance,
effort required for this fix, and the security implications (it is an completely
independent SSH implementation), the library does not seem to be worth the
effort in our case.
- Switch to using sshpass command line utility instead of paramiko library. The
only reason to use paramiko seems that 'ssh' command by default does not allow
us to input password easily while paramiko does.
- Another place where paramiko is being used is to check if a host is already
verified in the known_hosts file. This has been trivially replaced with
'ssh-keygen -F'.
- Exit codes provided by sshpass can replace the specific exception raised by
paramiko.
Links:
1) https://www.paramiko.org/changelog.html
2) https://github.com/paramiko/paramiko/issues/2017
3) https://github.com/paramiko/paramiko/issues/1984
Tests:
- Add a remote backup repository with and without encryption.
- Add remote backup repository with all three types of algorithms.
- Add a remote repository again with wrong password. Authentication error is
properly shown.
- Add a remote backup repository and remove it. Host remains verified. Add a
repository again.
- Add a remote backup repository and remove it. Host remains verified. Change
the fingerprint the /var/lib/plinth/.ssh/known_hosts file. Add a repository
again. A proper error is shown that remote host could not be verified.
- Add a remote backup repository and remove it. Host remains verified. Stop SSH
server on the remote host. A generic error is shown that ssh command on remote
host failed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The output of ssh-keyscan scan contain comments that start with '#'. When
these are present, they are incorrectly assumed to be valid keys. Ignore these
lines.
Tests:
- Output of ssh-keyscan with latest OpenSSH in Debian testing contains comments.
Trying to verify the identity of the remove host without the patch fails when
adding remote backup repository. When patch is applied, it works (except RSA
key).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Currently, if an error occurred during diagnostics, just error
message (without traceback details) was supposed to be shown on the results
page. However, due to a bug in code related to showing repair button, a separate
exception is raised.
- Simplify the code by dropping all custom error display. Instead allow the
generic error display mechanism in the middleware to handle the error. This
keeps the code simple.
Tests:
- Raise an exception in diagnose() method of the 'users' app. Run the
diagnostics for the users app. Notice that Diagnostics app page is shown with
error alert containing full traceback details.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Show a different message for them.
Test:
- Try to visit page like /plinth/apps/sharing/foo/edit/ where a share named
'foo' does not exist. The common error handling middleware is triggered and an
alert message 'Page not found' with exception trace back is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- These could happen when a user tries to reload a page that only allows POST
requests.
- Or when the generic exception handling logic in the middleware redirects the
user to a page that only allows POST.
Tests:
- Insert a exception in the diagnose() of the 'users' app. Without the patch,
running diagnostics on the users app leads to a blank page. With the patch, the
user is redirected to Diagnostics app page and the original error is shown as a
alert message.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- In addition to the OperationalError, also handle all generic exceptions during
page submit and page load. Redirect to the same page or parent using
breadcrumbs.
- Log exceptions handled by common error middleware so that they are also part
of the system logs.
- Update kiwix test as needed.
- Refactor some test code that is setting up the menu items.
Tests:
- When an error occurs during form POST, the same page is show but with an error
message.
- When an error occurs in an app page during GET, the browser is redirected to
the parent section.
- When an error occurs in apps page during GET, the browser is redirected to the
home page.
- When an error occurs in home page during GET, the error is not handled and
default 500 handle is triggered.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Instead of showing traceback details only for action exceptions, show them for
normal exceptions also.
- Also adjust the gap between the error message and the preformatted text to
make it appear better.
Tests:
- Alter code to raise an exception with the utility. See that details are as
expected.
- Raise an exception in a privileged action, ensure that the details shown as
before.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Fixes an issue where the nslcd configuration option pam_authz_search is not
in effect after the users module setup.
Tests:
- Remove the pam_authz_search configuration option from /etc/nslcd.conf,
restart nslcd service, delete plinth.sqlite database to run first setup
after plinth start, start plinth. Do it twice:
1) before applying patch, users::test_user_states functional test fails.
2) after applying patch, users::test_user_states functional test pass.
- After applying patch, the nslcd service is restarted during module
upgrade.
- All the users module tests pass.
Relates to
https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2594#note_565614.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- It was never intended that breadcrumbs be shown in these pages.
Tests:
- When running first wizard, the busy page, the welcome page, user account
create page, and the next steps page are all shown without breadcrumbs. Same for
login page.
- Other pages which had breadcrumbs earlier continue to show them, that is, app
pages, system pages, help pages, and pages under those.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- All users tests pass.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
[sunil: Update to reflect the new utility function name]
[sunil: Update some more cases to use the utility]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Also, add a click_link_by_href helper function.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
[sunil: Update some more cases to use the utility function]
[sunil: Keep click() and rename new behavior to click_and_wait()]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This was needed temporarily when migrating from Tor to Tor Proxy
app. But now we should preserve the user's existing configuration
during app upgrade.
Tests:
- Install Tor Proxy version 1. "Download software packages over Tor"
is enabled. Upgrade to Tor Proxy version 2. "Download software
packages over Tor" is still enabled.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Mask disabled Tor systemd services to prevent services starting by the Tor
master service after system reboot.
Also:
- Fix torproxy app always enabled after setup.
- Minor privileged code cleanup - removed unused functions.
Tests performed on Debian stable and testing:
- Installed and disabled the apps, rebooted the system, then applied the patch.
Ensured that apps are upgraded successfully and apps are disabled after
upgrade. Ensured that tor@default, tor@plinth and tor@fbxlocal services are
masked and not running.
- After 1)enabling and 2)disabling both apps and 3)rebooting the system:
- Ensured that the tor@default service is not running and is masked.
- Ensured that tor@plinth or tor@fbxproxy service states match the states
of the app.
- Uninstalled the apps, ensured that only the tor@default service masked
state remains in the systemd.
- All the tor and torproxy tests pass.
Closes#2369, #2454.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Since Minetest 5.8.0, there is no longer a "default" game, so the
--gameid argument must be used to select a game (from the list at
https://content.luanti.org/packages/?type=game).
Set minetest_game as the default game for FreedomBox. In the future,
we can consider providing a list of popular game IDs, or allow a
custom game ID.
Work around for Debian bug #1090067.
Closes: #2445.
Tests:
- Install Minetest on Debian testing. The service is running. Able to
connect a client to the server.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Don't show them on section pages: home, apps, system and help pages.
- Tweak the appearance so that home icon is bigger, spacing between crumbs is
larger and to use '>' as separator.
- Change the name of the help menu item to show the value in breadcrumbs.
- Change the URLs for anchors in the help page so that they don't appear as part
of the breadcrumbs.
Tests:
- Section pages: home, apps, system and help pages don't have breadcrumbs.
- Visit various pages. Breadcrumbs are shown and all the links in the
breadcrumbs work as expected.
- Mobile view looks good.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- We were using hacky logic of assuming that if a page using the URL
/plinth/sys/..., then it belongs to 'system' section based on the URL match.
This won't work when the URL does not follow this pattern for any reason.
- Instead use the breadcrumbs mechanism which uses menu items and URL names to
determine the section a page belongs to.
Tests:
- Visit page, apps page, system page, help pages, an app page in apps sections,
an app page in system section, backups -> create backup page and notice that the
correct section is highlighted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- Use virsh command line tool to create and control VMs.
- Use virtiofs for shared folder between host and guest.
Tests:
- Create a testing container and run unit tests on it.
- Create a testing VM.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- When fsid of the btrfs filesystem is updated, grub needs to updated too.
Otherwise, the image can't be booted into using a virtual machine.
- When fsid of the btrfs filesystem is updated, /etc/fstab needs to updated too.
Otherwise, the root file system can't be remounted as read-write.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- In anticipation of adding support to launch VMs using the same script.
- Assume image operations will be common other backends, even when they use
systemd-nspawn.
- Drop support for systemd-nspawn (<247). Bullseye ships with systemd-container
package 247.3. Remove version specific code that is no longer needed.
- Fix issue with checking if an image has been provisioned or not.
- Attempt to setup network manager connection every time container is launched
instead only once when image is setup. This ensures that if the connection is
removed after image setup, it will re-created when container is launched.
Tests:
- Run all the basic commands of the container and ensure they are working.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[vexch: Removed unused argument in _setup_image() and fixed one typo]
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- Run 'make build install' and notice that the file
/usr/share/freedombox/modules-enabled/i2p has been removed from the system if
present.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- If for some reason, first setup is not completed yet, wait for it to complete.
- Update eventually() method to wait for page load errors to go away.
- If first wizard is already completed, don't try to run it again.
- We can eventually remove waiting for 'setup thread finished' in container
script. But not there yet.
Tests:
- Run transmission tests on a freshly created container.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Closes: #1528.
Closes: #2041.
Closes: #2438.
- In Bullseye and Bookworm the app is not available.
- i2pd (written is C++) is available in Debian, but it is not a drop-in
replacement for i2p. First, it is only a client. Then has a differently
philosophy of not integrating apps inside it and let outside apps connect to it.
If i2pd is ever added to FreedomBox, it has to be added as a new app with no
possibility of migration from an unlikely old setups.
- Updated wiki pages to remove references to I2P.
Tests:
- Looked for all string references to 'i2p'.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- These tools are not strictly needed for FreedomBox operation in anyway.
- Slightly Reduce the size of the built images.
- Some of these tools are outdated or not typically used on a modern GNU/Linux
system and make FreedomBox seem less shiny.
- Originally thought of splitting them into a separate metapackage but it does
not seem worth it.
- killall from psmisc is used in the Makefile, it is kept for now.
- FreedomBox already has many dependency and so it is now important to start
paying attention to unnecessary ones.
Tests:
- For each binary executable provided in each of the packages, verify that it
not being used in our code anywhere.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This is needed to run code quality check in the GitLab CI pipeline. Not sure
how it work before this.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- We don't support Debian Bullseye or older in latest versions of FreedomBox. We
can drop any minimum version specifications that are only relevant on those
release.
Tests:
- Potential issues with tomli/coverage will be caught during autopkgtests.
- For version specifications, it has been verified that for each of the
packages, version available in Bookworm is newer than the minimum version
specification.
- freedombox-setup and plinth packages don't exist on Bookworm or newer. We
don't support upgrade from older version with the latest code.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: Debian bug #1088760.
- OpenSSL.crypto.sign has been deprecated and in the current version of
python3-openssl in Debian testing, it has been dropped. The recommended
alternative is cryptography.hazmat.primitives. So, use this instead.
- The entire OpenSSL.crypto module is planned to be deprecated in the future.
So, stop using it entirely by using cryptography.hazmat.primitives.
- sso app does not use openssl anymore, so drop dependency on it. Other apps
such as Let's Encrypt do depend on it and but they have their own dependency
declared. The freedombox package on the overall retains on 'openssl' package.
- We are not using the python OpenSSL module anywhere else, so drop dependency
on it.
- Use pathlib to simplify some code.
- Ensure proper permissions on private and public keys as they are being written
to.
Tests:
- Freshly setup container and ensure that first run succeeds. Permission on the
public/private key files and the parent directly are correct. Users are able
login to FreedomBox. SSO works when accessing apps such as transmission.
- Without patches, setup freedombox container. Apply patches. Permission for
keys directory is updated but keys are not overwritten. Login to FreedomBox
works. SSO works when accessing apps such as transmission.
- Run code to perform signatures using old code and ensure that newer code
generates bit-identical signatures.
- Running ./run --list-dependencies show 'openssl' and python3-cryptography.
- Running unit tests works.
- Building debian package works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
