freifunk-berlin / ca.berlin.freifunk.net Goto Github PK

recently we had some certificate-requests where I was in contact with the requestor and "paused" their processing.
in the mean time some other admin signed some of these requests before the issues (unclear email) was resolved.

adding a status-flag and a comment-field for hold / reject seems helpfull

the certificates are sent out in PEM-encoded version and also textual representation of the cert.

the textual version is only useful to be read by human, removing this part saves more than 2500 bytes in jffs

• Eine optionale Checkbox, um sich auf der Berliner Mailingliste zu subscriben.
• Bei Check sollte die Bestätigungsmail der Mailingliste versandt werden.
• Alternativ kann der Bestätigungslink auch in die bestehende Mail des Dienstes integriert werden :)

We should integrate buildcert.py and import.py as commands into the manage.py file.

Hej,
for beginners using windows it is probably easier to extract keys from a zip archive than from a tar.gz, where they have to install additional software.
How u mean, would a zip-archive be more suitable?
Then we should switch to zip-archives.
ch g

We should write a simple integration test that is part of the travis run. The test should create a request for a certificate and we should check the database for the proper content.

ich hab heute mal nach Anleitung meinen Checkout installiert. Das lief alles ohne Fehler durch.
Wenn ich dann den Webserver besuche fliegt mir gleich eine Exception um die Ohren

jinja2.exceptions.UndefinedError: 'form' is undefined

Traceback (most recent call last):
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1836, in __call__
    return self.wsgi_app(environ, start_response)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1820, in wsgi_app
    response = self.make_response(self.handle_exception(e))
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1403, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/_compat.py", line 33, in reraise
    raise value
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/ca/views.py", line 10, in index
    return render_template('index.html')
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/templating.py", line 128, in render_template
    context, ctx.app)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/flask/templating.py", line 110, in _render
    rv = template.render(context)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/jinja2/environment.py", line 989, in render
    return self.environment.handle_exception(exc_info, True)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/jinja2/environment.py", line 754, in handle_exception
    reraise(exc_type, exc_value, tb)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/jinja2/_compat.py", line 37, in reraise
    raise value.with_traceback(tb)
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/ca/templates/index.html", line 1, in top-level template code
    {% extends "_layout.html" %}
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/ca/templates/_layout.html", line 29, in top-level template code
    {% block body %}{% endblock %}
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/ca/templates/index.html", line 16, in block "body"
    {{ form.csrf_token }}
  File "/mnt/hosts/build/src/web/freifunk/ca.berlin.freifunk.net/env/lib/python3.4/site-packages/jinja2/environment.py", line 408, in getattr
    return getattr(obj, attribute)
jinja2.exceptions.UndefinedError: 'form' is undefined

We should add a simple captcha to the form. Maybe the same we use at config.berlin.freifunk.net.

Ein weekly digest der neuen Subscriber/Knoten inkl. Kommentar, warum sie nen freifunk VPN möchten, wäre ein tolles soziales feature, was durch den Umbau verloren ging.

Verbindliches Kommentarfeld, warum die Person den VPN des Förderverein freie Netzwerke nutzen möchte

just a minor/ cosmetic issue, found in this section:

  {{ render_bootstrap_field(form.id, "Name des Zugangs", "Ein kurzer und eindeutiger Name für deinen Zugang (z.B. <em>funkenpumpe</em> oder <em>hermannstr42_vh</em>). Bitte nur Kleinbuchstaben und Bindestriche verwenden.") }}    

either only to change here or - IMHO the better approach:
both - explanation of "Name des Zugangs" (tunnelname) in ca.berlin.freifunk.net/templates/index.html and explanation for "Spitzname des Routers" (node name) in config.berlin.freifunk.net/app/templates/wizard/form.html should be modified

{{ render_bootstrap_field(form.hostname, "Spitzname des Routers", "Ein kurzer und eindeutiger Name für deinen Router (z.B. <em>funkenpumpe</em> oder <em>HermannStr42_VH</em>).") }}

This would make new "Freifunkas" understand technically there is no connection of host ID and tunnelname - they don't have to name them the same but they can.

Is there a reason why we do not include the migrations folder in git? Since it contains all the versions and the instructions on how to run the migrations I think we should include it.

We should build our small app with travis and do at least some linting.

The regular expression which check the ID does not allow numbers (https://github.com/freifunk-berlin/ca.berlin.freifunk.net/blob/master/app.py#L47). But the example text contains numbers:

Ein kurzer und eindeutiger Name für deinen Zugang (z.B. funkenpumpe oder hermannstr42_vh). Bitte nur Kleinbuchstaben und Bindestriche verwenden.

The same issue is the underscore in the example, which is not allowed based on the error message displayed:

Must be lowercase and can contain '-'

I'm not sure if the example text is wrong or the regex so I didn't open a pull request yet.

Ich fände es sinnvoll auf der Seite "http://ca.berlin.freifunk.net/" einen Hinweis unterzubringen, wie lange man sich gedulden soll, bevor man nachfragt oder erneut versucht einen Zugang anzufordern.

1 oder 2 Wochen wären völlig ok wenn man weiß das es so lange dauern kann.
Und eventuell beantragt man dann auch schon etwas früher wenn man weiß, das man in drei Wochen Zeit hat um einen Router einzurichten.

Eine Bestätigungsmail wäre auch nicht schlecht. Die Anforderung wird zwar auf der Seite bestätigt wenn erfolgreich, aber eine Email kann man auch später nochmal konsultieren und es gibt einem das Gefühl das im Hintergrund etwas passiert ist.

Man vermeidet Mehrfachanforderungen aus Ungeduld oder Verunsicherung.
Man vermeidet Nachfragen.

We should check if the key id the users enters exists or not. If it already exists we should inform the user with a nice message about the fact.

A request id should only contain a fixed amount of characters (I have to check how many), contain only lowercase letters and numbers, and a normal dash (-). We have to write a proper form validator for this.

We should check that the email is less then 40 bytes. The most recent run of the processing script stopped with an error: "string is too long, it needs to be less than 40 bytes long"

in some cases it turns out that we need some code for renewing an expired certificate. This also requires some code, to check for soon expiring certs, that the user can be informed.

Following idea:

• system daily checks for certificates expiring in the next 30 days and send a reminder to the user
  • this reminder contains a link for confirmation
• when the user visits the link a new certificate is created based on the old data provided
  • same cert-subject and email
  • same private-key is used
• the existing record in the database is updated to the new expiry-date
• this new cert is send out without approval, as this was approved on the initial request also

We need to decide on a way how we want to mark Requests as worked on.

The two main options would be:

• check if we have a vpn file with this name already
• store the fact that a certificate was generated it in the database

I propose following the second options since that will enable us to do something like for request in Request.query.filter_by(generation_date!=None).all(): Then we would just update the records for which we have generated certificates with the generation_date and not query those again the next time. An alternative would be to just use a boolean to store if the certificate has been generated already but I think we could just as well store the date of the generation for better transparency.

I just added a prompt in the buildcert.py that asks for confirmation before generating each certificate. The question would be what to do when confirmation is not given. Options are:

• Also set generation_date / boolean but don't generate a certificate
• Simply skip the Request and be asked again next time
• Delete it from the database
• Add another field to the database that says this one was skipped and also filter those out

What do you think? Feedback is much appreciated.

Wollen wir die BBBVPN CA auf eine separate Instanz dieses Tools umstellen?

das spart Wartungs- und Rechner-ressourcen.
wir brauchen den aktuelle Code nur um eine konfigurierbare "autoapprove"-funktion erweitern.

@sven-ola

I need a sample wsgi configuration for deployment. We can maybe copy this from config.berlin.freifunk.net

We should move all configurable parameters into a configuration file like config.py

Goal
When I visit the main page, I would like to see a link to the source code. This allows me to connect better to the developers, propose ideas and get help implementing them.

Proposal
I propose the following sentence:

ca.berlin.freifunk.net wird von der Berliner Freifunk Gemeinschaft auf GitHub entwickelt. Du kannst mithelfen und die Software verbessern.

Hints
To solve this issue, the sentence can be included into the _layout file at the bottom.

Currently we call the bash script specified with COMMAND_MAIL to send the certificate to the user. We should integrate this functionality into the the ca python code and create a nicer mail template.

We should add the migration directory to the git so we can do proper migration in the future.

If I try to run ./manage.py db init or migrate, I get the error message:

FileNotFoundError: [Errno 2] Unable to load configuration file (No such file or directory): '/freifunk/ca.berlin.freifunk.net/instance/config.py'.

But the instance directory is empty, so I think there missing something at the instructions or the config.py at the root directory should be moved to the instance directory. Or is my assumption totally wrong?

For our initial import we need a script.

/etc/openvpn/ contains one directory easy-rsa/keys that contains crts, keys and csrs. There is also a clients directory with a tgz file that contains everything you receive via mail from us. The tars and the certs, etc. have a prefix 'freifunk_' followed by the key id.

We need to polish the documentation a bit. We should e.g. explain how an administrator can create a new cert.

It seems like the regex supports e.g. underscores. I'm not sure why. We should double check this!