- Set renewal period to 3 years before expiry so that users not inconvenienced
too much.
- Renew server certificate if possible.
- There are openvpn server setups where the expiry of the server certificate has
been set to 2 years due to a bug in our code. Triggering a setup call will renew
these certificates without effecting any clients. Even during the bug, CA certs
were still be valid for 10 years. So, they are unaffected.
- When downloading profile, if client certificate is renewable, renew
before providing profile for download. Old certificates will still be valid
until their expiry.
Tests:
- Without the patches, install openvpn app. Server certificate will be created
with a validity of 2 years. Download the client profile. Apply patches, setup
will be rerun. OpenVPN will be restarted. Server certificate will be renewed and
show 10 years expiry. Old client profile will continue to connect successfully.
It will have expiry of 2 years. Download the client profile again. It will an
expiry of 10 years and will successfully to the server.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Don't overwrite the entire PKI directory or CA certificates.
- Don't re-enable app during setup.
Tests:
- Install app with patches. Rerun setup. It succeeds. Server certificate is not
changed.
- Disable app. Re-run setup. App is not re-enabled. OpenVPN is not running.
- Enable app. Re-run setup. OpenVPN is restarted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- A configuration file seems to be the preferred approach for invoke easy-rsa
since version 3.
- Drop unused configuration keys KEY_CONFIG, KEY_DIR and EASYRSA_REQ_NAME. These
are no longer referred to in the easy-rsa script.
- Remove configuration key EASYRSA_OPENSSL as the value 'openssl' is already the
default.
- Use pathlib.Path to simplify some code.
Tests:
- Re-run setup and notice the ca.cert file has not changed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- After moving to easy-rsa 3.x, the expiry configuration key changed and
original intention of setting the expiry to 10 years was not working. Update the
key to set the expiry properly.
Tests:
- Install the app freshly and verify the server and client have 'Valid Not
After' date set 10 years in future.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2370.
- In Debian testing (trixie), easy-rsa version is 3.1.5 (up from 3.1.0). In this
version trying to sign a certificate request when the final certificate is
already present leads to an error which fails openvpn app installation.
- In versions 3.1.0 (Debian bookworm/stable) and above, build-server-full also
generates a signing request and then signs the request. So, there is no need to
run them separately.
Tests:
- Uninstall openvpn test that /etc/openvpn directory has been removed. Install
openvpn download client profile and connect using 'sudo openvpn --config
tester.ovpn'. The connection will be successful.
- Files /etc/openvpn/freedombox-keys/pki/issues/{server,tester}.ovpn show
signature values.
- Repeat test for Debian testing and stable/bookworm.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Without the changes, the form submission for setting firewall zone fails with
error similar to "element can't be scrolled to view".
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Add explicit dependency on django-ipware >=3. django-axes >= 6 adds
only and optional dependency on django-ipware. Adding explicit dependency make
the behavior safer.
- Depend on django-axes >= 5 where the authentication backend and other features
are available. The new code won't work with older versions. The new approach
uses and authentication backend to deny access to the login form on lockout and
a middleware to redirect user to locked out form when limit of attempts have
been reached.
- Drop old code used for compatibility with django-axes 3.x.
- Suppress verbose and debug messages as django-axes is too chatty.
- Re-implment the CAPTCHA form entirely. In the old style, we have a login form
with CAPTCHA field. That would not work with the new django-axes authentication
middle. On submission of the form, auth.authenticate() will be called. This
call invokes various authentication backends include django-axes authentication
backend. This backend's behavior is to reject all authentication attempts when
the IP is listed in locked table. The new approach is to provide a simple
CAPTCHA form with just the CAPTCHA field. If the form is successfully
validated (correct CAPTCHA is provided), then the lock on the IP address is
reset. The user is then free to perform 3 more attempts to login.
- Update firstboot form to send the request parameter when using
auth.authenticate() method. This needed by Django axes' authentication method
which will be triggered.
Tests:
- Run tests on Debian Bookworm and Debian testing.
- Axes verbose messages and debug messages are not printed on the console when
running FreedomBox in debug mode.
- Only three invalid attempts are allowed at the login page. After the final
incorrect attempt, user is redirected to CAPTCHA page. Visiting the login page
using the URL works but entering the correct credentials still takes the user to
CAPTCHA page.
- CAPTCHA form appears as expected. Clicking the CAPTCHA images downloads the
audio file corresponding to the image. Incorrect CAPTCHA shows an error. Correct
CAPTCHA takes the user to login form where they are able to login with correct
credentials. Entering incorrect credentials 3 times will take the user again to
CAPTCHA page.
- Creating user account during firstboot works.
- Blocked IP address the IP of the client such as 10.42.0.1 and not the local IP
address 127.0.0.1 according the django-axes log messages. While one client IP
address is blocked, another IP is able to login to the same user account that
was attempted by the blocked client.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This prevents CSRF attacks that allow adversarial websites from logging out
users from FreedomBox. Django itself has made this change in 4.x releases.
Tests:
- Logout works with the menu item in drop-down when Javascript is enabled. The
menu item appears similar to other drop-down menu items.
- Logout works with the menu item when JavaScript is disabled on the page. The
menu item appears similar to other menu items.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Using autofocus too much hurts accessibility[1] as screen readers jump to the
autofocused field. Specifically, it should used only when it increases UX
significantly, when the form is the only thing on the page and there is nothing
to read before the field is filled.
- Networks: There is not much improvement to UX by focusing on a radio select.
- Update User Form: there is a statement to be read before the first element is
filled up. Username is changed rarely but it being focused on.
- First boot user account: There is content to be read before filling the form
and this will be skipped by the screen reader.
Links:
1) https://www.boia.org/blog/accessibility-tips-be-cautious-when-using-autofocus
Tests:
- networks: Add new connection form works. The connection type is not
autofocused.
- users: Update user form works. Username is not autofocused.
- users: First boot form works. Username is not autofocused.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- It has been deprecated in Django 4.2
Tests:
- Add a remote backup location with valid SSH hostname and notice that the list
of SSH host keys are shown properly.
- Add a remote backup location with invalid SSH hostname and notice that the
error "Could not reach SSH host..." is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This header is not supported by modern browsers[1]
- Our Content-Security-Policy header already does a better job.
- Django 4.0 removed this setting and does nothing with it.
Links:
1) https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
Tests:
- Without the patch X-XSS-Protection header is sent and with the patch it is not
sent.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Install bepasty app. Notice the extra menu option in the advanced menu.
Clicking it installs the app and run setup. Progress is shown during the re-run
of setup. When operation is completed 'App updated' notification is shown.
- Test Zoph app setup page.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Could not test: rerun setup after disabling the app. App is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
