- Use the excellent Apache module auth_openidc.
- Implement macros that can be easily used to configure OpenID Connect.
Tests:
- Accessing /freedombox/apache/discover-idp/ shows
- 'method' other than 'get' throw a 'bad request' error
- oidc_callback should match host. Otherwise 'bad request' error is raised.
- Mismatched host header is not allowed
- Invalid domain setup is not allowed
- target_link_uri is returned as is
- method is returned as is and only 'get' is allowed.
- x_csrf is returned as is
- oidc_scopes is returned as 'email freedombox_groups'
- HTTP request is answered and not redirected to https
- When logging in with OIDC, authorization is skipped. When authorization is
shown, it is shown as 'Web app protected by FreedomBox'.
- libapache2-mod-auth-openidc is added a dependency for freedombox package. It
is installable in stable, testing, and unstable distributions.
- On applying patches, Apache setup configuration is run and OpenIDC component
is created.
- When patches are applied and setup install is run, auth_openidc module,
10-freedombox, freedombox-openidc config is enabled in Apache.
- When setup is rerun, passphrase is not changed
- metadata directory and parent are created when apache setup is run. Mode is
0o700 and ownership is www-data.
- freedombox-openidc is created when apache setup is run and has 0o700
permissions.
- Metadata directory will contain the client id and client passphrase when
discovery happens for a particular domain.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- ttrss app's web interface works
- Incorrect password attempts in LDAP login with /tt-rss-app/ get registered by
fail2ban
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This will leave /etc/{plinth,freedombox} empty by default making service more
robust to run across various environments and situations. See systemd's
explanation for more details.
- Use Debian maintainer scripts remove all the existing files in
/etc/plinth/modules-enabled.
- Read from /usr/share/freedombox/modules-enabled then from
/etc/plinth/modules-enabled and finally from /etc/freedombox/modules-enabled.
Later read ones override previously read files. Any file pointing to /dev/null
will mean the module must be ignored.
Tests:
- Clean up /etc/plinth, /etc/freedombox and
/usr/share/freedombox/modules-enabled. Run service and notice that files are
getting loaded from development folder using a debug message.
- Run setup.py and notice that files get installed in
/usr/share/freedombox/modules-enabled/ and in the next run they get loaded from
there.
- Create a override file in /etc/plinth/modules-enabled/transmission and notice
that overriden file gets priority over the one in
/usr/share/freedombox/modules-enabled.
- Link the file /etc/plinth/modules-enabled/transmission to /dev/null and notice
that is not loaded.
- Create another file in /etc/freedombox/modules-enabled/transmission and notice
that it overrides the previous two files.
- All affected modules are loaded.
- Build a new Debian package and ensure that upgrading 23.8 to new version
removes are all configuration files.
- Build developer documentation and test that Tutorial -> Full Code and Tutorial
-> Skeleton sections have been updated with references to
-.../modules-enabled/... paths.
- Install quassel and notice that certificates were copied to /var/lib/quassel
directory. Change domain to another domain and notice that certificates were
copied again to that directory.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
