- In tags cleanup code, the front page shortcut for email uses different tags
than those provided in the manifest. When the app is instantiated in privileged
code without setting up Django, this causes an error even though gettext_noop is
used. Workaround by using a custom method for this.
Tests:
- Installing, enabling/disabling email apps works.
- 'make update-translations' output shows that django.pot has been updated and
the tags in question are part of the POT file.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- For scheduled backups and automatic backups generated when uninstalling apps,
make the generated archive name similar to automatic name given no name is
specified when creating an archive.
Tests:
- Set schedule on a local repository, uninstall an application, and create a
backup archive without a name. The timestamp in generated backup archives in all
three cases is similar in format.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2354.
- Process spawned for raw IO should be collected using wait(). Closing the
specially created pipe early causes an exception in the child process when it
tries to write to stderr the JSON result of executed method.
Tests:
- Monitor the output of 'journalctl -f'. Download and archive. Without the
patch, an error is printed as described in the bug. With the but no such error
is printed. Downloaded file is the same in both cases.
- Writing a log message in cleanup_func shows that the process has been waited
for and the FDs have been closed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Fill up disk to have very little space left. Perform a large backup operation
by writing a large file to one of the directories to be backed up. Try to
perform the backup and notice that a nice error message is shown that there is
not enough disk space instead of a generic error message.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Promote reverse DNS information to primary heading.
- Add information that only one domain have reverse DNS configured.
- Clarify that ISP are also responsible for reverse DNS.
- Show reverse DNS records only for primary domain.
Tests:
- View email app. List of domains is shown in the domain section. Primary domain
is marked with a special icon.
- Clicking on the domain works. DNS and reverse DNS information is shown. DKIM
key information is present.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Benedek Nagy <contact@nbenedek.me>
- Instead of just the primary domain. This bring us closer to working equally
well on all the domains.
- App version number has not be incremented because it has already been
incremented for this release cycle.
Tests:
- When re-running the setup of email app. Notice that all the domains have DKIM
keys now.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Benedek Nagy <contact@nbenedek.me>
- Drop the configuration field from all the forms.
- Those using a different value for public IP lookup URL must now set the value
again in the privacy app. Privacy app will show the review notification again
for this reason.
Tests:
- Functional and unit tests pass.
- Printing the external IP address during the update task shows correct value.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Benedek Nagy <contact@nbenedek.me>
- Since a new option has been introduced the privacy app.
Tests:
- When the patch is applied and service is restart, privacy app's setup is run
again and notification is shown when it has already been dismissed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Benedek Nagy <contact@nbenedek.me>
- This will act as centralized location to set the URL to lookup IP addresses.
Tests:
- When no value is set initially, the URL for Foundation is shown. This also
happens when the value is removed from 'plinth_kvstore' sqlite3 table.
- When empty value is set it, the empty value is set in DB and show in the UI.
- When no value is changed and form is updated, message is shown that settings
have not changed.
- When value is changed and form is updated the updated value is shown in the
form, message is shown that configuration has been updated.
- Updated URL value reflects in the email app and errors change accordingly.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Benedek Nagy <contact@nbenedek.me>
Imroves: https://salsa.debian.org/freedombox-team/freedombox/-/issues/56
[sunil]
- Show reverse DNS records for both IPv4 and IPv6 addresses.
- Use utility to lookup public IP addresses.
- Rename the template context variable and method to use less technical terms.
- Use Python's ipaddress module to compute the PTR record's domain value.
- Don't retrieve primary domain at the module level.
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Benedek Nagy <contact@nbenedek.me>
This will later become a setting in the privacy app. It will be used by email,
dynamicdns, and networks apps.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Benedek Nagy <contact@nbenedek.me>
- Add typing information for init methods Info, Shortcut, and Menu to easily
identify problems.
- Update docstrings for these components.
- Updates test cases to deal with tags instead of short description.
- Update custom shortcuts code to read tags and ignore short description.
- Update API to send tags instead of custom shortcuts.
- OpenVPN special treatment of info.description in Shortcut
Tests:
- All unit tests pass and type checking succeeds.
- All apps show icons with tags in apps and system section.
- In help section cards don't show tags.
- In front page, enabled apps show shortcuts with tags.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- Even though pexpect is set for override in pyproject.toml latest
mypy==1.13.0-2 on Debian testing throws an error here.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
Tests:
- All deluge functional tests pass and monitored that there are no
unreasonable delays in deluge web client while tests are running.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- This improves page rendering time. If JS files are not loaded in deferred or
async mode, they will halt the page rendering until JS files are loaded from
network.
- 'defer' mode guarantees that the load order is same as the order in which JS
files appeared in the HTML page.
Tests:
- Run at least one function of each affected JS file and ensure that is works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Closes: #2484
Tests:
- Functional tests for users app works.
- When updating the user if the delete user is not checked, delete confirmation
dialog is not shown.
- When updating the user if the delete user is checked, delete confirmation
dialog is shown. It can be dismissed and re-shown many times. When confirm
button is clicked, the form is submitted and user is deleted.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Enabling/disabling public share shows and hides the list of groups in share
edit page.
- When loading the share page, if public share is enabled, list of groups is
hidden.
- When loading the share page, if public share is disabled, list of groups is
shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Modify or remove the sslCert/sslKey lines in mumble-server.ini. The
diagnostic is failed. After repair, the expected lines are restored,
and the diagnostic is passed.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Tests:
- In testing container, install Mumble. /etc/mumble/mumble-server.ini
has settings for ssl cert and key.
- In stable container, install Mumble. /etc/mumble-server.ini has
settings for ssl cert and key.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
See the spam score for an email sent with these settings:
https://www.mail-tester.com/test-jy6unbdzu
Tests done:
1. Install the email app with version 4, then check out the files:
```
ls -la /var/lib/rspamd/dkim/ ; cat /etc/rspamd/local.d/dkim_signing.conf
total 4
dr-x------ 1 _rspamd _rspamd 50 Jan 1 19:14 .
drwxr-x--- 1 _rspamd _rspamd 16936 Jan 1 20:21 ..
-r-------- 1 root root 1704 Jan 1 19:14 freedombox.local.dkim.key
cat: /etc/rspamd/local.d/dkim_signing.conf: No such file or directory
```
2. Apply the patches and update the app:
```
ls -la /var/lib/rspamd/dkim/ ; cat /etc/rspamd/local.d/dkim_signing.conf
total 4
dr-x------ 1 _rspamd _rspamd 50 Jan 1 19:14 .
drwxr-x--- 1 _rspamd _rspamd 16936 Jan 1 20:22 ..
-r-------- 1 _rspamd _rspamd 1704 Jan 1 19:14 freedombox.local.dkim.key
allow_username_mismatch = true;
sign_authenticated = true;
use_domain = "header";
domain {
freedombox.local {
path = "/var/lib/rspamd/dkim/freedombox.local.dkim.key";
selector = "dkim";
}
}
```
3. Configure example.com as a domain under Name Services, then also change the primary domain in the email app and confirm it completes without errors.
Also see:
```
ls -la /var/lib/rspamd/dkim/ ; cat /etc/rspamd/local.d/dkim_signing.conf
total 8
dr-x------ 1 _rspamd _rspamd 90 Jan 1 21:15 .
drwxr-x--- 1 _rspamd _rspamd 16936 Jan 1 21:17 ..
-r-------- 1 _rspamd _rspamd 1704 Jan 1 21:15 example.com.dkim.key
-r-------- 1 _rspamd _rspamd 1704 Jan 1 19:14 freedombox.local.dkim.key
allow_username_mismatch = true;
sign_authenticated = true;
use_domain = "header";
domain {
example.com {
path = "/var/lib/rspamd/dkim/example.com.dkim.key";
selector = "dkim";
}
}
```
4. Uninstall the app and perform a fresh install, confirm it completes succesfully.
The configurations in /etc/rspamd/local.d/dkim_signing.conf have been
verified to work on a throw-away VPS setup.
Once merged, this should be mentioned here: https://discuss.freedombox.org/t/solved-email-messages-not-signed-with-dkim/2387
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
[sunil: Add comment explaining allow_username_mismatch option]
[sunil: Drop an unused variable, added docstrings]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
The last confirmed issue we had was fixed in Nov 2024, no new issues
have been repoerted since.
Signed-off-by: Benedek Nagy <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Currently, when trying to create PPPoE connection, we get an exception that
dns_over_tls key is not found in the form's cleaned_data. Fix this by not
expecting the field to be present only for PPPoE connections.
Tests:
- Edit a regular Ethernet connection and change the value of DNS-over-TLS to all
the different values and notice that the value is updated as expected.
- Create a regular Ethernet connection with non-default value for DNS-over-TLS.
The value for DNS-over-TLS on the connection set as expected.
- Create/edit/delete of a PPPoE connection works.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- So that on slow machines, the tests don't fail.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2218.
- When borg can't acquire a lock due to it being busy, any borg operation can
fail. Show a readable message instead of a generic error.
- Also handle errors for archive already existing and archive to be deleted not
existing.
Tests:
- Functional tests for backup app work.
- Creating archive works with proper message. Providing the name of existing
archive shows proper error.
- Deleting archive works with proper message. Open two tabs by clicking on the
delete archive button. Then delete with one and try to delete the it again with
the next one. Proper error message is shown.
- While downloading an archive, delete an archive. Proper error message that
borg is busy is shown.
- Upload archive works. A proper success message is shown.
- Restore backup from archive works. A proper success message is shown.
- Restore backup from file upload works. A proper success message is shown after
upload and after restoration.
- Adding local repository works. A proper success message is shown.
- Adding remote repository works. A proper success message is shown when SSH key
is verified and repository is added.
- Removing repository works. A proper success message is shown.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #1603.
- This introduces seconds and timezone in the name of the archive. When seconds
are not used in the name, taking backups too quickly on after the other fails as
the names clash.
Tests:
- Taking a backup works and creates the name in the expected ISO time format.
- Changing the timezone and restarting service creates timestamps in that
timezone.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- When archives are listed using list_archives() method, return datetime objects
instead of pre-formatted strings. datetime objects can be compared easily and
shown in a more human readable format.
Tests:
- Unit tests pass.
- Backups with a future date are ignored when considering recent backup
times (when they logged to console).
- Most recent scheduled backup times are retrieved correctly (when they logged
to console).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Sending GET requests to the two views by opening theirs URLs in the browser
show a blank page. Actions are not performed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Currently, in the repository class, if an operation fails, the error messages
from borg are interpreted and re-raised. Everywhere else, the errors are
interpreted. Fix this by wrapping privileged methods at the privileged module
level instead of a context manager at the place of calling.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Fixes#2460
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: Update the style to provide spacing after tags lines]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
sunil:
- Add explicit dependency on libjs-jquery in janus even though another
dependency brings it in.
- Fix looking for elements before DOMContentLoaded is fired. Since most of the
scripts are added at the end of the page, it might work now, but doing this
properly after DOMContentLoaded allows us to relocate the scripts to the header
of the page and add 'defer' attribute on them.
- Fix issue with IPv6 method getting selected as 'dchp' in networks.js.
- Don't focus on the first element in the form after the page loads. This is bad
for accessibility.
- Fix issue with setting the readonly/required states of IPv4/IPv6 fields on
page load.
- Password fields can now be changed to text fields and vice versa without a
problem. Simplify.
- Fix incorrect repetition of code setting 'show' class in onInvalidEvent().
- Prefer exception getting raised instead of functionality silently failing when
expected elements are not found.
- Use 'const' instead of 'var' wherever possible.
- Prefer .closest() to get to ancestors instead of .parentNode;
- Don't CSS transitions when showing an element, 'transition' CSS property does
not work on 'display' property. Instead they have to implemented on 'height',
'opacity', etc.
- Minor styling changes. Consistent casing. Use arrow styled functions.
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2476.
- The collapse click logic is triggered when clicking on the schedule button (or
the other buttons). In case of other buttons they do activate eventually but
the schedule button does not activate.
- Solve this properly by making sure that collapse logic is not triggered when
the buttons are clicked.
Tests:
- On stable and testing containers, ensure that collapse works. Collapse/expand
icon works. The three buttons work. And mobile view looks good.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- In current stable and testing, verifying SSH remote hosts using RSA is not
working. After selecting the verified RSA fingerprint, paramiko fails to connect
- A change introduced in paramiko 2.9 lead to failures when connecting to hosts
that have a verified RSA host key[1][2][3]. To fix the issue,
disabled_algorithms must be used to drop some of the other algorithms supported
by the server to force paramiko behavior. A better solution to the problem was
introduced in paramiko 3.2. Both these solutions require careful update to the
code. Considering the utility paramiko provides, the regression annoyance,
effort required for this fix, and the security implications (it is an completely
independent SSH implementation), the library does not seem to be worth the
effort in our case.
- Switch to using sshpass command line utility instead of paramiko library. The
only reason to use paramiko seems that 'ssh' command by default does not allow
us to input password easily while paramiko does.
- Another place where paramiko is being used is to check if a host is already
verified in the known_hosts file. This has been trivially replaced with
'ssh-keygen -F'.
- Exit codes provided by sshpass can replace the specific exception raised by
paramiko.
Links:
1) https://www.paramiko.org/changelog.html
2) https://github.com/paramiko/paramiko/issues/2017
3) https://github.com/paramiko/paramiko/issues/1984
Tests:
- Add a remote backup repository with and without encryption.
- Add remote backup repository with all three types of algorithms.
- Add a remote repository again with wrong password. Authentication error is
properly shown.
- Add a remote backup repository and remove it. Host remains verified. Add a
repository again.
- Add a remote backup repository and remove it. Host remains verified. Change
the fingerprint the /var/lib/plinth/.ssh/known_hosts file. Add a repository
again. A proper error is shown that remote host could not be verified.
- Add a remote backup repository and remove it. Host remains verified. Stop SSH
server on the remote host. A generic error is shown that ssh command on remote
host failed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- The output of ssh-keyscan scan contain comments that start with '#'. When
these are present, they are incorrectly assumed to be valid keys. Ignore these
lines.
Tests:
- Output of ssh-keyscan with latest OpenSSH in Debian testing contains comments.
Trying to verify the identity of the remove host without the patch fails when
adding remote backup repository. When patch is applied, it works (except RSA
key).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Currently, if an error occurred during diagnostics, just error
message (without traceback details) was supposed to be shown on the results
page. However, due to a bug in code related to showing repair button, a separate
exception is raised.
- Simplify the code by dropping all custom error display. Instead allow the
generic error display mechanism in the middleware to handle the error. This
keeps the code simple.
Tests:
- Raise an exception in diagnose() method of the 'users' app. Run the
diagnostics for the users app. Notice that Diagnostics app page is shown with
error alert containing full traceback details.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- In addition to the OperationalError, also handle all generic exceptions during
page submit and page load. Redirect to the same page or parent using
breadcrumbs.
- Log exceptions handled by common error middleware so that they are also part
of the system logs.
- Update kiwix test as needed.
- Refactor some test code that is setting up the menu items.
Tests:
- When an error occurs during form POST, the same page is show but with an error
message.
- When an error occurs in an app page during GET, the browser is redirected to
the parent section.
- When an error occurs in apps page during GET, the browser is redirected to the
home page.
- When an error occurs in home page during GET, the error is not handled and
default 500 handle is triggered.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Fixes an issue where the nslcd configuration option pam_authz_search is not
in effect after the users module setup.
Tests:
- Remove the pam_authz_search configuration option from /etc/nslcd.conf,
restart nslcd service, delete plinth.sqlite database to run first setup
after plinth start, start plinth. Do it twice:
1) before applying patch, users::test_user_states functional test fails.
2) after applying patch, users::test_user_states functional test pass.
- After applying patch, the nslcd service is restarted during module
upgrade.
- All the users module tests pass.
Relates to
https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2594#note_565614.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- It was never intended that breadcrumbs be shown in these pages.
Tests:
- When running first wizard, the busy page, the welcome page, user account
create page, and the next steps page are all shown without breadcrumbs. Same for
login page.
- Other pages which had breadcrumbs earlier continue to show them, that is, app
pages, system pages, help pages, and pages under those.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Tests:
- All users tests pass.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
[sunil: Update to reflect the new utility function name]
[sunil: Update some more cases to use the utility]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This was needed temporarily when migrating from Tor to Tor Proxy
app. But now we should preserve the user's existing configuration
during app upgrade.
Tests:
- Install Tor Proxy version 1. "Download software packages over Tor"
is enabled. Upgrade to Tor Proxy version 2. "Download software
packages over Tor" is still enabled.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Mask disabled Tor systemd services to prevent services starting by the Tor
master service after system reboot.
Also:
- Fix torproxy app always enabled after setup.
- Minor privileged code cleanup - removed unused functions.
Tests performed on Debian stable and testing:
- Installed and disabled the apps, rebooted the system, then applied the patch.
Ensured that apps are upgraded successfully and apps are disabled after
upgrade. Ensured that tor@default, tor@plinth and tor@fbxlocal services are
masked and not running.
- After 1)enabling and 2)disabling both apps and 3)rebooting the system:
- Ensured that the tor@default service is not running and is masked.
- Ensured that tor@plinth or tor@fbxproxy service states match the states
of the app.
- Uninstalled the apps, ensured that only the tor@default service masked
state remains in the systemd.
- All the tor and torproxy tests pass.
Closes#2369, #2454.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
