Daniel Maksymilian Syrnicki
470823b347
All checks were successful
Build ISO / build-iso (push) Successful in 17m30s
CI / lint (push) Successful in 27s
CI / test (push) Successful in 43s
CI / validate-json (push) Successful in 31s
CI / markdown-links (push) Successful in 15s
Release / release (push) Successful in 11m38s
One-admin, one-password model — all of /apps, /api/*, /, and
/settings/ now require a signed-in session. Passwords are werkzeug
PBKDF2-hashed in /var/lib/furtka/users.json (mode 0600, atomic write
via the same .tmp+chmod+rename dance installer.write_env uses).
Sessions are secrets.token_urlsafe(32) tokens held in a module-level
SessionStore dict (thread-safe lock included for when we swap to
ThreadingHTTPServer). Cookies are HttpOnly, SameSite=Strict, and
Path=/, with Secure set when X-Forwarded-Proto from Caddy says HTTPS.
Two bootstrap paths:
* Fresh install — webinstaller step-1 collects Linux user + password,
the chroot post-install step hashes the password and writes
users.json on the target partition. First browser visit lands on
/login with the account already present.
* Upgrade from 26.10-alpha — no users.json yet, so /login detects
setup_needed() and renders a first-run setup form. POST creates
the admin and immediately logs in.
POST /logout revokes the server session and clears the cookie.
Unauthenticated HTML requests 302 to /login; unauthenticated API
requests 401 JSON so fetch() callers see a clean error. A sleep(0.5)
on failed logins is the brute-force speed bump on top of werkzeug's
~600k-iter PBKDF2.
Caddyfile gains /login* and /logout* handle blocks in the shared
furtka_routes snippet so both :80 and the HTTPS hostname block
forward the auth endpoints to localhost:7000. Without this Caddy
would 404 from the static file server.
Test surface:
* tests/test_auth.py (new, 19 cases): hash roundtrip, users.json
I/O, session create/lookup/expire/revoke.
* tests/test_api.py: new admin_session fixture; existing HTTP
tests updated to send the cookie; new tests cover login setup,
login success, wrong-password 401, logout revocation, and the
guard's 302/401 split.
* tests/test_webinstaller_assets.py: new case that unpacks the
users.json _write_file_cmd body and verifies the werkzeug hash
round-trips against the step-1 password.
Bumped version to 26.11-alpha and rolled CHANGELOG. Also folded in
the ruff-format fix that was pending from 26.10-alpha's lint red.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
229 lines
10 KiB
Python
229 lines
10 KiB
Python
"""Asset sourcing + install-flow tests for webinstaller.
|
|
|
|
Phase-2 slice 1a moved every HTML/CSS/script/unit payload out of inline
|
|
Python string constants and into real files under furtka/assets/. Slice 1b
|
|
then flipped Caddy to serve from /opt/furtka/current/assets/www/, retired
|
|
/srv/furtka/www/, and switched systemd units from hand-written files in
|
|
/etc/systemd/system/ to `systemctl link` against the shipped asset tree.
|
|
|
|
These tests lock the new contract:
|
|
- the Caddyfile and the status.json placeholder still land via
|
|
_write_file_cmd and match the on-disk asset bit-for-bit,
|
|
- the resource-manager bootstrap extracts to /opt/furtka/versions/<ver>/,
|
|
creates /opt/furtka/current, and systemctl-links every unit,
|
|
- furtka.json is written with the installer's hostname,
|
|
- no write ever targets /srv/furtka/www/ (that path is retired).
|
|
"""
|
|
|
|
import base64
|
|
import re
|
|
import sys
|
|
from pathlib import Path
|
|
|
|
import pytest
|
|
|
|
sys.path.insert(0, str(Path(__file__).resolve().parent.parent / "webinstaller"))
|
|
import app # noqa: E402
|
|
|
|
REPO_ROOT = Path(__file__).resolve().parent.parent
|
|
ASSETS = REPO_ROOT / "assets"
|
|
|
|
|
|
# (install target path, asset path under furtka/assets/) — only the files we
|
|
# still copy bit-for-bit at install time. Scripts + unit files are no longer
|
|
# copied; they're reached via /opt/furtka/current and `systemctl link`. The
|
|
# Caddyfile is not in this list because it's written with the hostname
|
|
# placeholder substituted — see test_post_install_substitutes_hostname_in_caddyfile.
|
|
ASSET_TARGETS = [
|
|
("/var/lib/furtka/status.json", "www/status.json"),
|
|
]
|
|
|
|
|
|
def _extract_written_content(cmd, target):
|
|
"""Pull the base64 payload back out of a _write_file_cmd() shell string."""
|
|
match = re.search(r"printf %s (\S+) \| base64 -d > " + re.escape(target), cmd)
|
|
assert match, f"cmd didn't look like a write of {target}: {cmd[:100]}"
|
|
return base64.b64decode(match.group(1)).decode("utf-8")
|
|
|
|
|
|
@pytest.fixture
|
|
def install_cmds(tmp_path, monkeypatch):
|
|
# Make _resource_manager_commands return a non-empty list so the full
|
|
# command tree is exercised. A fake payload file is enough since the
|
|
# test only inspects the generated shell strings.
|
|
fake = tmp_path / "payload.tar.gz"
|
|
fake.write_bytes(b"not a real tarball")
|
|
monkeypatch.setattr(app, "RESOURCE_MANAGER_PAYLOAD", fake)
|
|
return app._post_install_commands("testhost", "daniel", "test-admin-pw")
|
|
|
|
|
|
@pytest.mark.parametrize("target,asset_relpath", ASSET_TARGETS)
|
|
def test_post_install_writes_asset_from_disk(install_cmds, target, asset_relpath):
|
|
expected = (ASSETS / asset_relpath).read_text(encoding="utf-8")
|
|
matching = [c for c in install_cmds if f" > {target}" in c]
|
|
assert matching, f"no command writes {target}"
|
|
assert _extract_written_content(matching[0], target) == expected
|
|
|
|
|
|
def test_no_command_writes_to_retired_srv_path(install_cmds):
|
|
for c in install_cmds:
|
|
assert "/srv/furtka/www" not in c, f"retired /srv/furtka/www write: {c[:120]}"
|
|
|
|
|
|
def test_resource_manager_extracts_to_versioned_slot(install_cmds):
|
|
extract_cmd = next((c for c in install_cmds if "tar -xzf" in c), None)
|
|
assert extract_cmd is not None, "no tar extract command"
|
|
assert "/opt/furtka/versions" in extract_cmd
|
|
assert "staging-" in extract_cmd # mktemp -d pattern
|
|
assert 'cat "$staging/VERSION"' in extract_cmd
|
|
# An empty VERSION file must abort the install instead of silently
|
|
# moving the staging dir into versions/ as a subdir.
|
|
assert '[ -n "$ver" ]' in extract_cmd
|
|
# Version dir must be 755 so Caddy (non-root) can traverse it.
|
|
assert 'chmod 755 "/opt/furtka/versions/$ver"' in extract_cmd
|
|
assert 'ln -sfn "/opt/furtka/versions/$ver" /opt/furtka/current' in extract_cmd
|
|
|
|
|
|
def test_furtka_json_cmd_uses_heredoc_and_interpolates_hostname(install_cmds):
|
|
# Regression: the previous base64+sed version of this command was a
|
|
# silent no-op on some installs due to archinstall-side quoting; the
|
|
# heredoc version is the one that reliably writes furtka.json.
|
|
cmd = next((c for c in install_cmds if "/var/lib/furtka/furtka.json" in c), None)
|
|
assert cmd is not None
|
|
assert "cat > /var/lib/furtka/furtka.json <<EOF" in cmd
|
|
assert '"hostname": "testhost"' in cmd
|
|
assert "date -Iseconds" in cmd
|
|
assert "/opt/furtka/current/VERSION" in cmd
|
|
|
|
|
|
def test_resource_manager_systemctl_links_every_unit(install_cmds):
|
|
link_cmd = next((c for c in install_cmds if c.startswith("systemctl link ")), None)
|
|
assert link_cmd is not None, "no systemctl link command"
|
|
for unit in app._FURTKA_UNITS:
|
|
assert f"/opt/furtka/current/assets/systemd/{unit}" in link_cmd
|
|
|
|
|
|
def test_resource_manager_enables_all_units(install_cmds):
|
|
enable_cmd = next((c for c in install_cmds if c.startswith("systemctl enable ")), None)
|
|
assert enable_cmd is not None
|
|
for unit in app._FURTKA_UNITS:
|
|
assert unit in enable_cmd
|
|
|
|
|
|
def test_wrapper_script_points_at_current_symlink():
|
|
assert "PYTHONPATH=/opt/furtka/current" in app._FURTKA_WRAPPER_SH
|
|
|
|
|
|
def test_caddyfile_asset_serves_from_current():
|
|
caddy = (ASSETS / "Caddyfile").read_text()
|
|
assert "root * /opt/furtka/current/assets/www" in caddy
|
|
assert "/srv/furtka/www" not in caddy
|
|
# Runtime JSON paths served from /var/lib/furtka/ so updates don't clobber.
|
|
assert "root * /var/lib/furtka" in caddy
|
|
|
|
|
|
def test_caddyfile_serves_both_http_and_https():
|
|
# :80 stays so users who haven't installed the CA still reach the box;
|
|
# HTTPS is served via a named-hostname block so Caddy's `tls internal`
|
|
# has something to issue a leaf cert for. A bare `:443 { tls internal }`
|
|
# never triggers issuance — that was the 26.4-alpha regression.
|
|
caddy = (ASSETS / "Caddyfile").read_text()
|
|
assert ":80 {" in caddy
|
|
assert "__FURTKA_HOSTNAME__.local, __FURTKA_HOSTNAME__ {" in caddy
|
|
assert "tls internal" in caddy
|
|
# Shared routes live in a named snippet to avoid drift between the two
|
|
# listeners — both site blocks must import it.
|
|
assert "(furtka_routes)" in caddy
|
|
assert caddy.count("import furtka_routes") == 2
|
|
|
|
|
|
def test_caddyfile_disables_caddy_auto_redirects():
|
|
# Named-hostname :443 block makes Caddy want to add its own HTTP→HTTPS
|
|
# redirect. The /settings toggle is the single source of truth, so the
|
|
# built-in has to be off — otherwise the toggle and auto_https race.
|
|
caddy = (ASSETS / "Caddyfile").read_text()
|
|
assert "auto_https disable_redirects" in caddy
|
|
|
|
|
|
def test_caddyfile_imports_force_redirect_snippet_dir():
|
|
# The /api/furtka/https/force endpoint toggles HTTP→HTTPS by writing or
|
|
# removing a snippet file in this dir; the Caddyfile must glob-import it
|
|
# inside the :80 block for the toggle to take effect.
|
|
caddy = (ASSETS / "Caddyfile").read_text()
|
|
assert "import /etc/caddy/furtka.d/*.caddyfile" in caddy
|
|
|
|
|
|
def test_caddyfile_exposes_root_ca_download():
|
|
# /rootCA.crt is the download handle the UI uses. It must map to the
|
|
# Caddy local-CA pki path and set a Content-Disposition so the browser
|
|
# treats it as a download rather than trying to render it. Path is the
|
|
# real one Caddy uses under XDG_DATA_HOME=/var/lib (see caddy.service
|
|
# Environment= directive) — not the /var/lib/caddy/.local/share/caddy/
|
|
# path Caddy docs show for non-systemd installs.
|
|
caddy = (ASSETS / "Caddyfile").read_text()
|
|
assert "handle /rootCA.crt" in caddy
|
|
assert "/var/lib/caddy/pki/authorities/local" in caddy
|
|
assert ".local/share/caddy" not in caddy
|
|
assert "attachment; filename=furtka-local-rootCA.crt" in caddy
|
|
|
|
|
|
def test_post_install_substitutes_hostname_in_caddyfile(install_cmds):
|
|
# Fresh installs: the placeholder the asset ships with must be replaced
|
|
# with the hostname the user picked in the form. The `testhost` value
|
|
# comes from the install_cmds fixture. Without substitution Caddy's
|
|
# `tls internal` never issues a leaf cert for the real hostname.
|
|
caddyfile_cmd = next((c for c in install_cmds if " > /etc/caddy/Caddyfile" in c), None)
|
|
assert caddyfile_cmd is not None
|
|
written = _extract_written_content(caddyfile_cmd, "/etc/caddy/Caddyfile")
|
|
assert "__FURTKA_HOSTNAME__" not in written
|
|
assert "testhost.local, testhost {" in written
|
|
|
|
|
|
def test_post_install_creates_furtka_d_snippet_dir(install_cmds):
|
|
# Pre-existing installs pick up the import path via updater._refresh_caddyfile,
|
|
# but fresh installs never run that — this command is the only guarantee
|
|
# that the first Caddy start on a brand-new box has a dir to glob-import.
|
|
matching = [c for c in install_cmds if "/etc/caddy/furtka.d" in c and "install -d" in c]
|
|
assert matching, "no install -d command creates /etc/caddy/furtka.d"
|
|
|
|
|
|
def test_systemd_units_reference_current_paths():
|
|
for unit in ("furtka-status.service", "furtka-welcome.service"):
|
|
body = (ASSETS / "systemd" / unit).read_text()
|
|
assert "/opt/furtka/current/assets/bin/" in body, (
|
|
f"{unit} still references a /usr/local/bin path"
|
|
)
|
|
|
|
|
|
def test_read_asset_raises_for_missing_file():
|
|
with pytest.raises(FileNotFoundError):
|
|
app._read_asset("does/not/exist.html")
|
|
|
|
|
|
def test_assets_dir_resolves_to_repo_tree():
|
|
assert app._ASSETS_DIR == ASSETS
|
|
|
|
|
|
def test_post_install_writes_users_json_with_hashed_password(install_cmds):
|
|
"""The Furtka-admin users.json is created during the chroot post-install.
|
|
|
|
Without this, a fresh-install box lands at /login in first-run setup
|
|
mode and the user has to go through the browser to set a password —
|
|
which defeats the "step-1 password works for everything" design. Also
|
|
check that the file is chmod 0600 (the PBKDF2 hash is a secret even
|
|
if it's slow to crack).
|
|
"""
|
|
import json as _json
|
|
|
|
from werkzeug.security import check_password_hash
|
|
|
|
users_cmd = next((c for c in install_cmds if " > /var/lib/furtka/users.json" in c), None)
|
|
assert users_cmd is not None, "no command writes /var/lib/furtka/users.json"
|
|
assert "chmod 600" in users_cmd, "users.json must be chmod 0600"
|
|
body = _extract_written_content(users_cmd, "/var/lib/furtka/users.json")
|
|
parsed = _json.loads(body)
|
|
assert "admin" in parsed
|
|
assert parsed["admin"]["username"] == "daniel" # matches fixture
|
|
# Hash is a real werkzeug hash, not the plaintext password.
|
|
assert parsed["admin"]["hash"] != "test-admin-pw"
|
|
assert check_password_hash(parsed["admin"]["hash"], "test-admin-pw")
|