- This way, we know what we are overriding and can use type annotations for
libraries where they are available.
- Invocation of mypy tool on command line becomes straight forward.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- mypy does not show any errors.
- Installing ejabberd app works. Privileged actions run fine.
- Unit tests work.
- No additional testing was done as type annotations don't have any effect at
runtime.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Try to mark class variables in component classes.
- Leave typing hints generic, such as 'list' and 'dict' where content is usually
not filled, too complex, or context is unimportant.
- backups: Handle failure for tarfile extraction so that methods are not called
on potentially None valued variables.
- backups: Prevent potentially passing a keyword argument twice.
- dynamicdns: Deal properly with outcome of urlparsing.
- ejabberd: Deal with failed regex match
- email: Fix a mypy compliant when iterating a filtered list.
- tor: Don't reuse variables for different typed values.
- tor: Don't reuse variables for different typed values.
- operation: Return None explicitly.
- operation: Ensure that keyword argument is not repeated.
Tests:
- Where only typing hints were modified and no syntax error came up, additional
testing was not done.
- `mypy --ignore-missing-imports .` run successfully.
- Generate developer documentation.
- Service runs without errors upon start up.
- backups: Listing and restoring specific apps from a backup works.
- backups: Mounting a remote backup repository works.
- NOT TESTED: dynamicdns: Migrating from old style configuration works.
- ejabberd: Verify that setting coturn configuration works.
- email: Test that showing configuration from postfix works.
- tor: Orport value is properly shown.
- transmission: Configuration values are properly set.
- users: Running unit tests as root works.
- operation: Operation status messages are show properly during app install.
- ./setup.py install runs
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This was missed during the split of tor/torproxy apps.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is the recommended approach. On Debian, php is usually resolved to
/usr/bin/php.
Tests:
- Tests with absolute path in service file were performed as part of testing
done in https://salsa.debian.org/freedombox-team/freedombox/-/issues/2373 . No
separate testing was done.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2102.
- Wiki: Unchanged behavior is to have discussion pages enabled. To post users
must login.
- Blog: Earlier behavior is to allow anonymous users to post comments. They go
into the moderation queue when posted. This could lead to a lot of spam comments
to moderate. New behavior is to allow posting comments only when logged in.
- Blog: discussion => 0 does not effect comments. It is meant for discussion
page on the blog's home page (and possibly other pages). Discussion on those
pages is disabled by default.
- The changes only apply to defaults. Everything can be changed from Setup page.
Testing:
- Test the above described behavior in Debian testing.
- Debian stable testing was not done as the version of ikiwiki is that same as
testing.
[sunil: Drop removal of discussion from wiki pages]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- During database error such as 'database is locked', show a special message
asking users to try again instead of submitting a bug report.
[sunil: Minor formatting, rename the template file name]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[jvalleroy: Fix missing import]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Set renewal period to 3 years before expiry so that users not inconvenienced
too much.
- Renew server certificate if possible.
- There are openvpn server setups where the expiry of the server certificate has
been set to 2 years due to a bug in our code. Triggering a setup call will renew
these certificates without effecting any clients. Even during the bug, CA certs
were still be valid for 10 years. So, they are unaffected.
- When downloading profile, if client certificate is renewable, renew
before providing profile for download. Old certificates will still be valid
until their expiry.
Tests:
- Without the patches, install openvpn app. Server certificate will be created
with a validity of 2 years. Download the client profile. Apply patches, setup
will be rerun. OpenVPN will be restarted. Server certificate will be renewed and
show 10 years expiry. Old client profile will continue to connect successfully.
It will have expiry of 2 years. Download the client profile again. It will an
expiry of 10 years and will successfully to the server.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Don't overwrite the entire PKI directory or CA certificates.
- Don't re-enable app during setup.
Tests:
- Install app with patches. Rerun setup. It succeeds. Server certificate is not
changed.
- Disable app. Re-run setup. App is not re-enabled. OpenVPN is not running.
- Enable app. Re-run setup. OpenVPN is restarted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- A configuration file seems to be the preferred approach for invoke easy-rsa
since version 3.
- Drop unused configuration keys KEY_CONFIG, KEY_DIR and EASYRSA_REQ_NAME. These
are no longer referred to in the easy-rsa script.
- Remove configuration key EASYRSA_OPENSSL as the value 'openssl' is already the
default.
- Use pathlib.Path to simplify some code.
Tests:
- Re-run setup and notice the ca.cert file has not changed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- After moving to easy-rsa 3.x, the expiry configuration key changed and
original intention of setting the expiry to 10 years was not working. Update the
key to set the expiry properly.
Tests:
- Install the app freshly and verify the server and client have 'Valid Not
After' date set 10 years in future.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2370.
- In Debian testing (trixie), easy-rsa version is 3.1.5 (up from 3.1.0). In this
version trying to sign a certificate request when the final certificate is
already present leads to an error which fails openvpn app installation.
- In versions 3.1.0 (Debian bookworm/stable) and above, build-server-full also
generates a signing request and then signs the request. So, there is no need to
run them separately.
Tests:
- Uninstall openvpn test that /etc/openvpn directory has been removed. Install
openvpn download client profile and connect using 'sudo openvpn --config
tester.ovpn'. The connection will be successful.
- Files /etc/openvpn/freedombox-keys/pki/issues/{server,tester}.ovpn show
signature values.
- Repeat test for Debian testing and stable/bookworm.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Without the changes, the form submission for setting firewall zone fails with
error similar to "element can't be scrolled to view".
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add explicit dependency on django-ipware >=3. django-axes >= 6 adds
only and optional dependency on django-ipware. Adding explicit dependency make
the behavior safer.
- Depend on django-axes >= 5 where the authentication backend and other features
are available. The new code won't work with older versions. The new approach
uses and authentication backend to deny access to the login form on lockout and
a middleware to redirect user to locked out form when limit of attempts have
been reached.
- Drop old code used for compatibility with django-axes 3.x.
- Suppress verbose and debug messages as django-axes is too chatty.
- Re-implment the CAPTCHA form entirely. In the old style, we have a login form
with CAPTCHA field. That would not work with the new django-axes authentication
middle. On submission of the form, auth.authenticate() will be called. This
call invokes various authentication backends include django-axes authentication
backend. This backend's behavior is to reject all authentication attempts when
the IP is listed in locked table. The new approach is to provide a simple
CAPTCHA form with just the CAPTCHA field. If the form is successfully
validated (correct CAPTCHA is provided), then the lock on the IP address is
reset. The user is then free to perform 3 more attempts to login.
- Update firstboot form to send the request parameter when using
auth.authenticate() method. This needed by Django axes' authentication method
which will be triggered.
Tests:
- Run tests on Debian Bookworm and Debian testing.
- Axes verbose messages and debug messages are not printed on the console when
running FreedomBox in debug mode.
- Only three invalid attempts are allowed at the login page. After the final
incorrect attempt, user is redirected to CAPTCHA page. Visiting the login page
using the URL works but entering the correct credentials still takes the user to
CAPTCHA page.
- CAPTCHA form appears as expected. Clicking the CAPTCHA images downloads the
audio file corresponding to the image. Incorrect CAPTCHA shows an error. Correct
CAPTCHA takes the user to login form where they are able to login with correct
credentials. Entering incorrect credentials 3 times will take the user again to
CAPTCHA page.
- Creating user account during firstboot works.
- Blocked IP address the IP of the client such as 10.42.0.1 and not the local IP
address 127.0.0.1 according the django-axes log messages. While one client IP
address is blocked, another IP is able to login to the same user account that
was attempted by the blocked client.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This prevents CSRF attacks that allow adversarial websites from logging out
users from FreedomBox. Django itself has made this change in 4.x releases.
Tests:
- Logout works with the menu item in drop-down when Javascript is enabled. The
menu item appears similar to other drop-down menu items.
- Logout works with the menu item when JavaScript is disabled on the page. The
menu item appears similar to other menu items.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Using autofocus too much hurts accessibility[1] as screen readers jump to the
autofocused field. Specifically, it should used only when it increases UX
significantly, when the form is the only thing on the page and there is nothing
to read before the field is filled.
- Networks: There is not much improvement to UX by focusing on a radio select.
- Update User Form: there is a statement to be read before the first element is
filled up. Username is changed rarely but it being focused on.
- First boot user account: There is content to be read before filling the form
and this will be skipped by the screen reader.
Links:
1) https://www.boia.org/blog/accessibility-tips-be-cautious-when-using-autofocus
Tests:
- networks: Add new connection form works. The connection type is not
autofocused.
- users: Update user form works. Username is not autofocused.
- users: First boot form works. Username is not autofocused.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It has been deprecated in Django 4.2
Tests:
- Add a remote backup location with valid SSH hostname and notice that the list
of SSH host keys are shown properly.
- Add a remote backup location with invalid SSH hostname and notice that the
error "Could not reach SSH host..." is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This header is not supported by modern browsers[1]
- Our Content-Security-Policy header already does a better job.
- Django 4.0 removed this setting and does nothing with it.
Links:
1) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Tests:
- Without the patch X-XSS-Protection header is sent and with the patch it is not
sent.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
