- Add typing information for init methods Info, Shortcut, and Menu to easily
identify problems.
- Update docstrings for these components.
- Updates test cases to deal with tags instead of short description.
- Update custom shortcuts code to read tags and ignore short description.
- Update API to send tags instead of custom shortcuts.
- OpenVPN special treatment of info.description in Shortcut
Tests:
- All unit tests pass and type checking succeeds.
- All apps show icons with tags in apps and system section.
- In help section cards don't show tags.
- In front page, enabled apps show shortcuts with tags.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
- This was supposed to removed in MR #2309 in the commit
253540fb3d12254c920b632cc484be6a79d27229. It was overlooked.
- Version number of users app has not been incremented as it has already been
incremented in this release.
Tests:
- There is no directory /etc/security/access.conf.d.
- There are not directives in /etc/security/access.conf that are not commented
out.
- After applying the patch (assuming previously setup version is 24.20) and
manually removing the destination file, app setup for users app runs. It
succeeds. /etc/pam.d/common-account no longer contains the line 'account
required pam_access.so'.
- After the upgrade, users who are root and non-root are able to login via SSH
and Cockpit. After a reboot, users are able to login via SSH and Cockpit.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2161.
- Sections are ordered by importance on which administrator must act after
setting up the system.
- Consistent order across all the languages.
- Update the styling for the section hearers.
- For system section, make them compact.
- Make them look like a header text (with underline) rather than a
divider (like in a menu).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
- This is so that the methods will be checked by mypy. This should help identify
any incorrect initialization of components.
- Remove unused self.repos in GitwebApp.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Config files are all symlinks in /etc/
- 'fail2ban-client get logtarget' shows sysout
- fail2ban logs to journald
- fail2ban identifies failures logged by apache in journald
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This will leave /etc/{plinth,freedombox} empty by default making service more
robust to run across various environments and situations. See systemd's
explanation for more details.
- Use Debian maintainer scripts remove all the existing files in
/etc/plinth/modules-enabled.
- Read from /usr/share/freedombox/modules-enabled then from
/etc/plinth/modules-enabled and finally from /etc/freedombox/modules-enabled.
Later read ones override previously read files. Any file pointing to /dev/null
will mean the module must be ignored.
Tests:
- Clean up /etc/plinth, /etc/freedombox and
/usr/share/freedombox/modules-enabled. Run service and notice that files are
getting loaded from development folder using a debug message.
- Run setup.py and notice that files get installed in
/usr/share/freedombox/modules-enabled/ and in the next run they get loaded from
there.
- Create a override file in /etc/plinth/modules-enabled/transmission and notice
that overriden file gets priority over the one in
/usr/share/freedombox/modules-enabled.
- Link the file /etc/plinth/modules-enabled/transmission to /dev/null and notice
that is not loaded.
- Create another file in /etc/freedombox/modules-enabled/transmission and notice
that it overrides the previous two files.
- All affected modules are loaded.
- Build a new Debian package and ensure that upgrading 23.8 to new version
removes are all configuration files.
- Build developer documentation and test that Tutorial -> Full Code and Tutorial
-> Skeleton sections have been updated with references to
-.../modules-enabled/... paths.
- Install quassel and notice that certificates were copied to /var/lib/quassel
directory. Change domain to another domain and notice that certificates were
copied again to that directory.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2276.
Functionality all over the system keeps failing due this approach. The latest is
changing hostname in ejabberd Mnesia database fails (#2276). Further, users
connecting FreedomBox to a monitor can't use a GUI.
Tests:
- Without patches, enable restricted access. Apply patches and setup.py install.
Security app is updated. Restricted access is disabled and
/etc/security/access.d/{50freedombox.conf, 10freedombox-security.conf,
10freedombox-performance.conf} are removed. It is possible to login into
non-admin account via SSH.
- On a fresh install, the configuration files are not found.
- Security page does not show 'restrict console logins' option.
- Updating security app setting works. Message 'Configuration updated.' is
shown.
- First boot succeeds. Restrict console login is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Recommendation to use 'sysout' as log target in order to log to systemd
journal comes from the fail2ban.service file.
Tests:
- Install the changes and restart fail2ban. Notice that journalctl shows new
log lines.
- Logged to /var/log/fail2ban.log has stopped.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- DONE: Unit tests work
- DONE: Transmission
- DONE: Enabling/disabling an app with a daemon works: transmission
- DONE: Showing the status of whether the app is enabled with daemon
is-enabled works.
- DONE: A message is shown if app is enabled and service is not running
- DONE: Service is stopped and re-started during backup
- DONE: Adding user to share group during initial setup restarts the service
- Not tested: Enabling/disabling a service with alias works (no such apps)
- DONE: Restarting/try-restarting a service works
- DONE: Masking/unmasking works
- DONE: rsyslog is masked after initial setup
- DONE: systemd-journald is try-restarted during initial setup
- DONE: Avahi, email, security initial setup works
- DONE: Fail2ban is unmasked and enabled
- DONE: Enabling/disabling fail2ban is security app works
- DONE: Enabling/disabling password authentication in SSH works
- ?? Let's encrypt
- Services are try-restarted during certificate setup, obtain, renew
- Not tested: upgrade pagekite from version 1
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Enable/disable button is not shown.
- Diagnostics are shown and work.
- Initial status of the configuration is show properly.
- Enabling/disabling configuration options reflects correct status.
- Status of frequent features updates shows properly.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
module.app property usage is greatly reduced because setup() and force_upgrade()
method are now part of App class instead of at the module level. Remove the
remaining minor cases of usage and drop the property altogether.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Primary purpose is to complete the App API and allow for multiple apps to be
present in a module without a single clashing setup() method. Secondary
objective is to get rid of SetupHelper instance simple use App instance instead.
- This brings us closer to not needing to implement setup() method for some of
the typical apps.
- Remove default value None for old_version parameter.
- A valid integer value is always passed to this call.
- The value of None is undefined.
- Simplifies the App API slightly.
- Drop setting 'pre', 'post' values to indicate the stage of setup for the App.
- Simplifies the setup methods significantly. Eliminates a class of
bugs (some of them seen earlier).
- The UI can show a simple 'installing...' or progress spinner instead of
individual stages.
- There are currently many inconsistencies where many operations are not
wrapped in helper.call() calls.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is recommended by PEP-0597: https://peps.python.org/pep-0597/
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Make terminology more consistent managed vs. possible, resolve vs. actual.
- Fix regression in security report caused by comparing package expressions with
package names.
- Fix regression in package upgrades caused by comparing package expressions
with package names.
- Update API method names to improve readability and prevent accidental
mismatching of package names and package expressions. Update variable names for
same reason during usage.
Tests:
- minetest install successfully in testing.
- Security report shows non-zero value in the current vulnerabilities column.
- When an unavailable package is added to list of packages in an app, the app
can't be installed.
- When PackageOr expressions is added to an essential package, running
--list-dependencies shows an expressions with '|' in it.
- Unit tests succeed.
- Find a package with conffile prompt and add that to list of a packages in an
app like bepasty and implement a stub force_upgrade() method in the app. Run
'apt update' and that triggers and analysis of packages with conf file prompts.
This should call force_upgrade() method in bepasty and with proper argument for
list of packages.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- For zoph, drop dependency on php7.4 as it will cause issues for future
versions of php. The dependency was a hack and not needed for Bullseye and
higher.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- When a timer is provided to 'systemctl show' not all expected keys are
provided in the result. This leads to a KeyError exception.
- Also the security analysis for a timer unit is not useful. Instead perform the
analysis on the corresponding .service unit.
Closes: #2145
Tests:
- Before the patch, Wordpress shows as not sandboxed. The security report page
crashes on Debian testing setup.
- After the patch, there is no crash. Wordpress shows as sandboxed with 86%
coverage.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Signed-off-by: Joseph Nuthalapati <njoseph@riseup.net>
[sunil: isort all files]
[sunil: Remove component in datetime component as managed_packages is empty]
[sunil: Minor refactor in minidlna for consistency]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- In Django 2.2 django.conf.urls.url() is an alias to django.urls.re_path().
- In Django 4.0, url() function will be removed. On Django 3.2, it throws a
warning that this function will be removed in future.
Tests:
- Run unit tests with Django 3.2 and Django 2.2.
- With Django 3.2 there are no warnings when running unit tests and when running
FreedomBox Service.
- Visit a few affected apps with both Django versions.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- ugettext functions will be removed in Django 4.0. Each use emits a warning
when running with Django 3.2. Since we have warnings enabled in developer mode,
we see quite a few messages because of this.
- ugettext is already a simple alias of gettext. So, no regressions are
expected.
Tests:
- Accessing an affected app in UI with Django 3.2 and Django 2.2 works fine.
- Using Django 3.2 there are no warnings related to removal of ugettext
functions.
- Ran regular unit tests.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Update security_report.html text to clarify what vulnerability total
numbers mean, and give more info to learn what the vulnerabilties are.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
[jvalleroy: Make URL a link]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Disable fail2ban. When version number of the app is incremented, setup is run,
fail2ban is reloaded but fail2ban is not enabled after setup.
- Disable fail2ban. When app is uninstalled and FreedomBox is run, setup is
performed and fail2ban is enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
Since security app manages fail2ban, it makes sense to set the default
configuration in this app.
Tests performed:
- `./setup.py install` installs the file in the correct place.
- Only 10 incorrect SSH login attempts as noticed in the fail2ban log will
result in ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
When 'restrict console logins' is activated, debsecan hourly cron jobs fail
because the 'daemon' user is not allowed to run cron jobs. Add rule to the
login access control file to allow 'daemon' user to run cron jobs.
Fixes#1770
Tested that after I copied the file to /etc/security/access.d/10freedombox-security.conf,
there are no more debsecan cron job errors in the journalctl logs.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Fioddor Superconcentrado <fioddor@gmail.com>
Rows in bootstrap 4 tables are taller by default. This is better suited for
mobile layouts and look prettier on desktops too. Adopting this approach instead
of condensed tables eliminates the need for striping, bordering and narrower
tables.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
It is confusing to combine the user's intent of wanting to have backports
activated with whether they have actually been configured in the system.
- Separate out checking for requested which is a key in the kvstore from enabled
which is about checking system configuration for backports.
- Implement convenience method for setting whether user requested backports.
- Do not base the status display (in security and upgrades modules) on the
configuration status and instead focus on user intent.
- If user requested backports but they have not been enabled yet due to not
being available, show as activated. System will keep trying the background and
configure eventually.
- If user requested backports but their configuration is outdated yet due to
newer release, show as activated. System will keep trying in the background
and configure latest settings eventually.
- In all places where backports enabling is being checked, split the logic for
'can be activated' from 'already activated' and 'user requested activation'
properly.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #1855.
Tests:
- On unstable, first boot step is not shown. Backports are not
enabled.
- On testing, tested enabling backports at first boot step. Backports
are enabled.
- On testing, tested not enabling backports. Backports are not enabled
and can be activated later.
- On testing, confirmed that functional tests can click through the
first boot step.
- On stable with backports, first boot step is not shown. Backports
are enabled.
- On stable, tested enabling backports at first boot step. Backports
are enabled.
- On stable, tested not enabling backports. Backports are not enabled
and can be activated later.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Avoid two different i18n strings with almost same content]
[sunil: Use box_name instead of hardcoded FreedomBox name]
[sunil: Use consistent terminology 'activate' instead of 'enable']
[sunil: Rename the wizard, form, view, url for consistency with existing code]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Call backports as 'Frequent Feature Updates'. This is make it easy for a
non-technical user to understand better what they are.
- Clearly recommend enabling backports as this is our current consensus.
- Explain that if backports are disabled, feature updates will come every 2
years or so.
- Show the status of backports on upgrades app even after it is enabled.
Disappearing options in the UI are generally confusing for users (hiding of
expand partition feature should be seen as exception rather than as example).
- Tone down the alarm on backports:
- Rename 'Security Notice' to 'Frequent Feature Updates' in security page.
- Remove 'on a best-effort basis' phrase, as everything in Debian is similar.
- Set the activate button to primary priority rather than warning to make the
user comfortable with it.
- Share translation strings across the two apps so that effort for translators
is reduced.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Build deb and install in buster image. Manually remove backports
sources file. Security page does not show backports notice. Updates
page shows button to activate backports.
- Activate backports from updates page. Success message is shown and
button to activate backports is removed. Security page shows
backports notice.
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Move non-reusable app specific step definitions and helper methods into
<app>/tests/test_functional.py.
- Merge reusable helper methods into plinth.tests.functional
- Merge reusable step definitions into plinth.tests.functional.step_definitions
- avahi, datetime, ikiwiki: Reuse common methods to avoid repetition. Avoid
mapping from app nicknames to actual app names.
- deluge, transmission: Make a copy of sample.torrent for each app to avoid
clogging common place.
- Implement functional.visit() to simplify a lot of browser.visit() calls.
- Ensure that name of the mark on functional tests for an app is same as name of
the app. This will help with predicting the mark when running tests for a
particular app.
Tests performed:
- Run all functional tests.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Joseph Nuthalapati <njoseph@riseup.net>
