Tests:
- Initial setup of coturn succeeds
- Configuration file is created and required configuration is set.
- Coturn is restarted
- Coturn configuration is shown on app page.
- Changing the domain succeeds and coturn configuration reflects the new domain.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Running flake8 as in .gitlab-ci.yml works.
- Setting the domain name again to update /etc/hosts file after hostname change
works
- Setting the domain name from the text box works. New domain name is read back
and shown properly.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Running flake8 as in .gitlab-ci.yml works.
- Changes the hostname works and it is updated in /etc/hostname
- Avahi daemon is restarted
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Initial setup succeeds
- (not tested, functionality removed later) During initial setup, if
/etc/apache2/conf-available/freedombox.conf has home page other than /plinth,
it will be changed to /plinth.
- Setting the home page to Apache default, plinth, or an app works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Unit and functional tests work.
- Creating a library works.
- An error while creating library shows as proper message.
- Deleting a library works.
- An error while deleting library shows as proper messages.
- Creating/deleting library reflects properly in the list of libraries.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Initial setup:
- Creates zones directory
- Write default configuration
- named is restarted
- Forwarders
- Setting forwarders works as expected.
- Current list of forwarders is shown as expected
- List of served domains is shown properly
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests
- Initial setup
- Sets the domain to freedombox.local (SITENAME)
- Default permissions are set to read
- Three passwords with varying permissions are create by default
- Current configuration is retrieved properly (default permissions, passwords)
- Adding passwords works, they are list as expected
- With or without comment
- Removing password works
- Setting default permissions works
- Untested:
- Upgrade from version 1
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Initial setup works when a new container is created
- When transmission is enabled/disabled, the web configuration for it is
enabled/disabled.
- When radicale is enabled/disabled, the uwsgi configuration for it is
enabled/disabled.
- Sharing web configuration is disabled during backup and re-enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
We depend on systemd for many things anyway and this code path is never tested.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
There is not much additional risk by doing this. This is needed in case of some
exceptional cases such as storage.validate_directory() which need to run as a
different user other than root.
Tests:
- Directory validation works in transmission and deluge.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Currently privileged actions use stdout for returning the results. If any of the
sub-processes accidentally output to stdout, decoding errors occur. Prevent this
by opening a pipe to the privileged action and returning the output in that
pipe.
Tests:
- Run unit tests
- Functional tests for other apps pass
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Currently, privileged actions are not allowed under top-level plinth module.
They are only allowed under each app module. Allow privileged actions under
plinth module.
- Currently, privileged actions are not allowed under a sub-module of
'privileged' package. They are allowed only in 'privileged' module. Allow
sub-modules under 'privileged' package.
Tests:
- Email app functional tests pass
- Functional tests for apps using package and service privileged methods pass
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Provides a Version class wrapper around apt_pkg.version_compare.
Replaces distutils.version which is deprecated.
Closes: #2261.
Tests:
- Install ejabberd.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Add two more version comparison tests]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2263
- matrix-synapse >= 1.65.0-1 requires python3-canonicaljson >= 1.6.2~
Tests:
- On a stable Vagrant Box, matrixsynapse app is not installable.
- With the changes, start FreedomBox service, setup will run on the upgrades
module and /etc/apt/preferences.d/51freedombox-apps.conf will be changed to
include the new entry. After this, matrix-synapse app is installable.
Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Use AppView for app page.
- Handle post enable/disable activities within the App class.
- Use Operation class to perform configuration instead of custom mechanism. Drop
all the older code for it.
Tests:
- DONE: Run functional tests
- DONE: Enabling Tor
- DONE: Enables the service
- DONE: Updates the firewall ports
- DONE: Adds hidden service domain to names app
- DONE: Shows app enabled
- DONE: Firewall ports are opened
- DONE: Disabling Tor
- DONE: Disables apt transport over Tor
- DONE: Firewall ports are closed
- DONE: Shows app disabled
- DONE: Onion domain is removed from names app
- DONE: App page
- DONE: Running/not-running status is shown properly based on whether tor
daemon is running.
- DONE: Port forwarding information is shown properly.
- DONE: When hidden service is enabled, status of hidden services is shown
- DONE: Configuration update
- DONE: Form shown correct status of the option
- DONE: When configuration is being updated, operation progress is shown
- DONE: Page refreshes once in 3 seconds during operation. Refresh stops after
operation.
- Once the operation is complete, success or error message is shown
- DONE: Javascript to show/hide upstream bridges text box works
- DONE: Javascript to enable/disable relay checkboxes works
- DONE: Operation does not show notification.
- DONE: Enabling apt over Tor does not work when app is disabled
- DONE: When configuration is changed, the message 'Settings unchanged' is not
shown.
- DONE: If an error is thrown during configuration, an error message is shown
properly.
- DONE: Tor is restarted after configuration update and hidden service domains
is updated.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
1. Install Janus on stable system.
2. Start a dist-upgrade to testing.
- Janus is held during dist-upgrade.
- Janus is force upgraded by Plinth after dist-upgrade is complete.
Closes: #2254.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- Functional tests pass
- Same tests as previous patch for setting logging to syslog.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- On a fresh container, install roundcube. log_driver is set to syslog in
freedombox-config.conf.
- Install roundcube without the changes. Enable local only. Apply the changes
and restart service. roundcube setup is run. log_driver is set to syslog in
freedombox-config.conf. Setting is still local-only.
- Install roundcube without the changes. Disable local only. Apply the changes
and restart service. roundcube setup is run. log_driver is set to syslog in
freedombox-config.conf. Setting is still not local-only.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Redirect with separate identifiers so that they can retrieved separately.
- Enable virtual host log format that include name of the domain accessed so
that that information is preserved.
- There is no need to increment the apache app's version number as it has been
incremented earlier in the patch series (for this release).
Tests:
- In a fresh container, setup succeeds. Default apache sites 000-default.conf
and default-ssl.conf are disabled. freedombox-default.conf is enabled. Apache
access logs and error logs are sent to systemd journal.
- Without the patch applied, create a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s default and
a2query -s 000-default show that sites are not enabled. a2query -s
freedombox-default shows that site is enabled. Apache access logs and error logs
are sent to systemd journal.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It is simpler to keep all the configuration in a single file. Any overrides
are expected to be done by writing additional configuration files with higher
priority.
- /etc/apache2/site-available/ is typically reserved for virtual host
configurations. Redirections and proxying for all virtual hosts rather belongs
in /etc/apache2/conf-available/.
- This looses the option of disabling plinth-ssl.conf when needed. In the
initial days of enabling TLS, there was a need felt to keep the option of easily
disabling redirection to TLS in case there is a need for it. However, TLS
certificate setup is mature and the limitations are well understood. There is no
longer a need for it. It still may be possible to avoid the redirection with an
additional configuration.
Tests:
- In a fresh container, setup succeeds. Redirecting to https:// for /plinth
works. FreedomBox web interface is available.
- Without the patch applied created a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s plinth and a2query
-s plinth-ssl show that sites are not enabled. Redirecting to https:// for
/plinth works. FreedomBox web interface is available.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
I tested additionally that if the root user has already configured
default branch other than main, it is not changed by the gitweb app
setup process.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Login to Cockpit on a freshly setup container.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When Cockpit is not configured any origins, it uses the host and protocol of the
incoming request to set the allowed origin for WebSocket connections. By
ensuring that the original host/protocol is passed on to Cockpit from the
browser, we can eliminate the need for configuring a pre-determined list of
origins. Passing the host and protocol from the browser is done by setting
ProxyPreserveHost and using https:// for proxying.
For a cross-site request, Origin: and Host: entries won't match and '403
Forbidden' is thrown. So, this approach is still safe.
Tests:
- Without the patch, access Cockpit using IP address and it fails. Apply the
patch. Cockpit setup should run. Origins= directive in the configuration file
/etc/cockpit/cockpit.conf should get removed. Accessing with IP address and
logging in succeeds.
- Freshly setup a container with the patch and access Cockpit using IP address.
This works and login succeeds.
- Test on stable and testing containers.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- App installation works. Proxying works when configured with Firefox.
listen-address and permit-access directives are set as expected in the
configuration file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
- Make sure a user might not run Privoxy as an open proxy, potentially giving
unwanted access to local resources. Only private IP classes are allowed to
connect.
Tests:
- Freshly install privoxy app. permit-access directives are set in the
configuration. Proxy works when tested with a private IP address with Firefox.
- Install privoxy app without the changes. Apply the changes, privoxy setup
should run. permit-access directives are set in the configuration. Proxy works
when tested with a private IP address with Firefox.
- Privoxy works when accessed with IPv4 address (such as 10.42.0.x) and IPv6
address (such as fe80:❌y:z%ve-fbx-testing).
[sunil: Use Spacevars augeus lens to edit the configuration file]
[sunil: Update IP ranges with auto-configuration, IPv6 addresses, etc.]
[sunil: Update description to mention that only local IPs are allowed]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This is recommended by PEP-0597: https://peps.python.org/pep-0597/
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
`apt-mark hold PACKAGES` accepts a list of packages. But if one of the
package is missing from the apt repository, then it will fail to hold
any of the listed packages. So it is necessary to try to hold each
package by itself.
Test:
- Run dist-upgrade from bullseye to bookworm. mumble-server package is
currently missing from bookworm, but it should not cause an error in
dist-upgrade.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
For dist-upgrade from buster to bullseye, we had a workaround to avoid
grub error during upgrade. The workaround is still needed for
dist-upgrade from bullseye to bookworm.
Helps #2057.
Test:
1. Build freedombox package for bullseye-backports with this fix
included.
2. Install package in bullseye vagrant box.
3. Enable automatic updates, and start dist upgrade from action.
4. Check journal to see if there is an error from grub.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Test I made: Created a few users, then appied the changes
and rebooted FreedomBox. After reboot I created another user
whose home directory could now be listed.
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Don't use command line argument for sending the join password for security.
- murmurd can switch to mumble-server UID before performing database operations.
Remove code to switch to mumble-server user.
- murmurd seems to return correct response code of 0 upon successfully setting
the password. Simplify code accordingly.
- Use subprocess.run() instead of subprocess.Popen for convenience.
Tests:
- Run functional and unit tests on Debian stable.
- Perform a fresh installation.
- Verify that setting super user password works.
- Verify that setting root channel names works.
- Verify that setting join password works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2230.
- matrix-synapse >= 1.59.1-1 requires python3-unpaddedbase64 >= 2.1.0~
Tests:
- On a stable container, matrixsynapse app is not installable.
- With the changes, start FreedomBox service, setup will run on the upgrades
module and /etc/apt/preferences.d/51freedombox-apps.conf will be changed to
include the two new entries. After this, matrix-synapse app is installable.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Get and set the storage path.
- Functional tests pass.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Any privileged action (a method) can be marked as such with the new decorator. A
call to the method will be serialized into a sudo call (or later into a D-Bus
call). The method arguments are turned to JSON and method is called as
superuser. Arguments are de-serialized and are verified for type before the
actual call as superuser. Return values are serialized and returned where they
are de-serialized. Exceptions are also serialized and de-serialized.
The method must have be strictly typed and should not have keyword-only
arguments. Currently supported types are int, float, str, dict/Dict, list/List
and Optional.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Update the form description for styling]
[sunil: Show the default site name when nothing is set]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Choices includes all of the available domain names in the system, as
well as any domains that are in ejabberd configuration.
Tests:
- Disable a domain. It is removed from ejabberd config.
- Enable a domain. It is added to ejabberd config.
- Enable all name services. Run ejabberd functional tests and observe
that they pass.
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[james: Apply yapf formatting]
[james: Minor adjustment to help text]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
- Add basic video room based on demo.
- Set port range to use for RTP.
- coturn: Add component for time-limited TURN configuration.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Don't error out when coturn is not installed/configured]
[sunil: Prepend data- to custom attribute in HTML]
[sunil: Convert SVG with embedded bitmap to vector graphics]
[sunil: Hide Javascript license information in footer]
[sunil: Minor changes to comments for styling]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Show the current name of the root channel
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[james: Use augeas for config file operations]
[james: Pass channel name on command line]
[james: Add functional test for change root channel name]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Based on work by Benedek Nagy at:
https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2198
Tests:
- Install WordPress without this patch. Then switch to code with this patch.
Restart FreedomBox. WordPress setup should get executed and the setup version
should get incremented to 2. The configuration file should contain the include
line for freedombox-static.php. freedombox-static.php should be installed and
should contain the line for setting FS_METHOD to 'direct'.
- Uninstall WordPress and wipe everything. Install WordPress freshly using this
patch. The line to include freedombox-static.php should be present in the
default configuration file. freedombox-static.php should be installed and should
contain the line for setting FS_METHOD to 'direct'.
- Installing a new theme using a URL and setting the default theme to the new
theme should work.
- Installing a plugin and enabling it should work.
- Installing an older version of a plugin and then updating it should work.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2215.
- matrix-synapse >= 1.55.0-2 requires python3-jinja2 >= 3.0~
- python3-jinja2 >= 3.0~ requires python3-markupsafe >= 2.0
Tests:
- On a stable container, matrixsynapse app is not installable.
- With the changes, start FreedomBox service, setup will run on the upgrades
module and /etc/apt/preferences.d/51freedombox-apps.conf will be changed to
include the two new entries. After this, matrix-synapse app is installable.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Unix paths can contain double quotes. Allow entering paths with double quotes by
escaping them in c-style[1] and retrieve them back properly.
1) https://httpd.apache.org/docs/2.4/expr.html
Tests:
Run tests on with various paths:
- /var/a b
- /var/c"d
- /var/ef"
Run the following tests.
- Create a directory with the test path and create a sample file inside it.
- Add a share with the test path.
- Ensure that the share is accessible and the file can be downloaded.
- Ensure that the list of the shares shows the path correctly.
- Ensure that the share can be edited.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
