Merge branch 'Uninett:master' into masteruninett

.dockerignore

@@ -6,6 +6,7 @@
 # We only need a few build tools and the requirements files, that is all
 !tools/**/*
 !requirements.txt
+!constraints.txt
 !tests/requirements.txt
 !doc/requirements.txt
 !requirements/**/*

.github/workflows/build-and-test.yml

@@ -9,7 +9,7 @@ jobs:
     strategy:
       max-parallel: 4
       matrix:
-        python-version: [3.7, 3.8, 3.9]
+        python-version: ["3.7", "3.9", "3.10"]
 
     steps:
       - uses: actions/checkout@v3
@@ -49,7 +49,7 @@ jobs:
       - name: "Install test runner dependencies"
         run: |
           set -xe
-          python -m pip install --upgrade 'pip==23.1.0' setuptools wheel 'tox<4' tox-gh-actions coverage virtualenv snmpsim 'pyasn1<0.5.0'
+          python3 -m pip install --upgrade 'pip==23.1.0' setuptools wheel 'tox<4' tox-gh-actions coverage virtualenv snmpsim 'pyasn1<0.5.0'
           sudo apt-get install -y nbtscan
 
       # virtualenv seems to currently be embedding a broken version of
@@ -80,7 +80,7 @@ jobs:
           export DISPLAY=:99
           ulimit -c unlimited
           sudo sysctl -w kernel.core_pattern=/tmp/core-%e.%p.%h.%t
-          python -m tox
+          python3 -m tox
 
       - name: Upload Selenium driver logs (${{ matrix.python-version }})
         if: always()

.github/workflows/publish-test-results.yml

@@ -11,10 +11,7 @@ jobs:
     name: "Publish test results"
     runs-on: ubuntu-latest
     if: >
-      github.event.workflow_run.conclusion != 'skipped' && (
-        github.event.sender.login == 'dependabot[bot]' ||
-        github.event.workflow_run.head_repository.full_name != github.repository
-      )
+      github.event.workflow_run.conclusion != 'skipped'
 
     steps:
       - name: Download and Extract Artifacts

CHANGELOG.md

@@ -7,6 +7,75 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 This changelog format was introduced in NAV 5.4.0. Older changelogs can be
 found in the [HISTORY](HISTORY) file.
 
+## [Unreleased]
+
+### Added
+
+- Added option to enable secure cookies in new web security section of `webfront.conf` ([#2194](https://github.com/Uninett/nav/issue/2194), [#2815](https://github.com/Uninett/nav/pull/2815))
+- Made `mod_auth_mellon` (SAML) work for logins ([#2740](https://github.com/Uninett/nav/pull/2740))
+  - Also added howto for setting up `mod_auth_mellon` for Feide authentication.
+
+### Fixed
+
+- Cycle session IDs on login/logout to protect against potential session fixation attacks ([#2804](https://github.com/Uninett/nav/issues/2804), [#2813](https://github.com/Uninett/nav/pull/2813), [#2836](https://github.com/Uninett/nav/pull/2836), [#2835](https://github.com/Uninett/nav/pull/2835))
+- Prevent clickjacking attacks on NAV by disallowing putting NAV site in document frames ([#2816](https://github.com/Uninett/nav/pull/2816), [#2817](https://github.com/Uninett/nav/pull/2817))
+
+
+- Various changes needed to move NAV closer to being fully compatible with Python 3.11:
+  - Replaced all uses of `pkg_resources` with `importlib` ([#2791](https://github.com/Uninett/nav/issues/2791), [#2798](https://github.com/Uninett/nav/pull/2798), [#2799](https://github.com/Uninett/nav/pull/2799))
+  - Upgraded Twisted to a version that supports Python 3.11 ([#2792](https://github.com/Uninett/nav/issues/2792), [#2796](https://github.com/Uninett/nav/pull/2796))
+  - Upgraded psycopg to 2.9.9 ([#2793](https://github.com/Uninett/nav/issues/2793), [#2795](https://github.com/Uninett/nav/pull/2795))
+  - Dropped code that was there to support Django's older than 3.2 ([#2823](https://github.com/Uninett/nav/pull/2823))
+  - Upgraded python-ldap from 3.4.0->3.4.4 ([#2830](https://github.com/Uninett/nav/pull/2830))
+  - Enabled running test suite on Python 3.10 by default ([#2838](https://github.com/Uninett/nav/pull/2838))
+  - Stopped running test suite on Python 3.8 by default ([#2851](https://github.com/Uninett/nav/pull/2851))
+  - Fixed invalid/deprecated backslash escapes in MIB dump files, as warned about in newer Python versions ([#2846](https://github.com/Uninett/nav/pull/2846), [#2848](https://github.com/Uninett/nav/pull/2848))
+  - Fixed deprecation warning for Django 4.0 in test suite ([#2844](https://github.com/Uninett/nav/pull/2844))
+  - Removed an adaption to Pythons older than 3.7 ([#2840](https://github.com/Uninett/nav/pull/2840))
+
+- Various cleanups of the test suites:
+  - Remove `FakeSession` redundancy ([#2841](https://github.com/Uninett/nav/issues/2841), [#2842](https://github.com/Uninett/nav/pull/2842))
+  - Fixed activeipcollector `get_timestamp` function implementation and its broken timezone-naive test ([#2831](https://github.com/Uninett/nav/pull/2831))
+  - Fixed broken statemon tests ([#2832](https://github.com/Uninett/nav/pull/2832))
+
+### Changed
+
+- Changed the documentation theme from "Bootstrap" to "Read The Docs", as the Bootstrap theme was no longer being maintained.  This also avoids unnecessary JavaScript libraries in the docs ([#2805](https://github.com/Uninett/nav/issues/2805), [#2825](https://github.com/Uninett/nav/pull/2825), [#2824](https://github.com/Uninett/nav/pull/2824), [#2834](https://github.com/Uninett/nav/issues/2834), [#2837](https://github.com/Uninett/nav/pull/2837), [#2833](https://github.com/Uninett/nav/issues/2833), [#2853](https://github.com/Uninett/nav/pull/2853))
+
+## [5.8.4] - 2023-12-14
+
+### Fixed
+
+- Allow admins to configure ports with invalid or unset native VLANs in PortAdmin ([#2477](https://github.com/Uninett/nav/issues/2477), [#2786](https://github.com/Uninett/nav/pull/2786))
+- Fix bug that caused PoE config to be completely disabled for Cisco devices where at least one port did not support PoE ([#2781](https://github.com/Uninett/nav/pull/2781))
+- Fix PortAdmin save button moving around for ports without PoE support ([#2782](https://github.com/Uninett/nav/pull/2782))
+- Fix PortAdmin bug that prevented switching PoE state back and forth without reloading entire page ([#2785](https://github.com/Uninett/nav/pull/2785))
+- Fix regression that caused maintenance tasks to be un-editable ([#2783](https://github.com/Uninett/nav/issues/2783), [#2784](https://github.com/Uninett/nav/pull/2784))
+
+## [5.8.3] - 2023-12-01
+
+### Fixed
+
+- Fix non-working SNMPv1 communication ([#2772](https://github.com/Uninett/nav/issues/2772), [#2779](https://github.com/Uninett/nav/issues/2779), [#2780](https://github.com/Uninett/nav/pull/2780))
+
+## [5.8.2] - 2023-11-30
+
+### Fixed
+
+- Fix broken "operate as user" function in User and API Administration tool ([#2766](https://github.com/Uninett/nav/issues/2766), [#2777](https://github.com/Uninett/nav/pull/2777))
+- Fix crashing PDU widget ([#2776](https://github.com/Uninett/nav/pull/2776))
+- Fix bug that caused PortAdmin to stop working for Cisco switches ([#2773](https://github.com/Uninett/nav/issues/2773), [#2774](https://github.com/Uninett/nav/pull/2774))
+
+
+## [5.8.1] - 2023-11-29
+
+### Fixed
+
+- Constrain version of 3rd party module `ciscoconfparse`, in order to avoid NAV not working under Python 3.7 ([#2770](https://github.com/Uninett/nav/issues/2770), [#2771](https://github.com/Uninett/nav/pull/2771))
+- Fix ipdevpoll crash error from using SNMP v2c profile example that came with NAV ([#2767](https://github.com/Uninett/nav/issues/2767), [#2768](https://github.com/Uninett/nav/pull/2768))
+- Gracefully handle encoding errors in invalid sysname/IP input in SeedDB IP Device form ([#2764](https://github.com/Uninett/nav/pull/2764))
+- Gracefully handle errors from invalid profiles list input in SeedDB IP Device form ([#2765](https://github.com/Uninett/nav/pull/2765))
+
 ## [5.8.0] - 2023-11-24
 
 ### Added
@@ -26,6 +95,7 @@ found in the [HISTORY](HISTORY) file.
 - Add subcommand to `navuser` command line program for deleting users ([#2705](https://github.com/Uninett/nav/pull/2705))
 - Add toggle in `webfront.conf` for automatic creation of remote users ([#2698](https://github.com/Uninett/nav/issue/2698), [#2707](https://github.com/Uninett/nav/pull/2707))
 - Add proper documentation index page for all howto guides ([#2716](https://github.com/Uninett/nav/pull/2716))
+- Add description to threshold alarms ([#2691](https://github.com/Uninett/nav/issue/2691), [#2709](https://github.com/Uninett/nav/pull/2709))
 
 
 #### Developer-centric additions

Dockerfile

@@ -22,7 +22,7 @@
 # be world-readable!
 #
 #
-FROM debian:bullseye
+FROM --platform=linux/amd64 debian:bullseye
 
 #### Prepare the OS base setup ###
 
@@ -35,7 +35,13 @@ RUN apt-get update && \
             locales \
             python3-dbg gdb \
             sudo python3-dev python3-pip python3-virtualenv build-essential supervisor \
-	    debian-keyring debian-archive-keyring ca-certificates
+	    debian-keyring debian-archive-keyring ca-certificates curl gpg
+
+## Use deb.nodesource.com to fetch more modern versions of Node/NPM than Debian can provide
+RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg && \
+    echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_20.x nodistro main' > /etc/apt/sources.list.d/nodesource.list && \
+    apt-get update && \
+    apt-get install -y nodejs
 
 ARG TIMEZONE=Europe/Oslo
 ARG LOCALE=en_US.UTF-8
@@ -85,10 +91,11 @@ COPY tools/docker/supervisord.conf /etc/supervisor/conf.d/nav.conf
 
 COPY requirements/ /requirements
 COPY requirements.txt /
+COPY constraints.txt /
 COPY tests/requirements.txt /test-requirements.txt
 COPY doc/requirements.txt /doc-requirements.txt
 # Since we used pip3 to install pip globally, pip should now be for Python 3
-RUN pip-compile --resolver=backtracking --output-file /requirements.txt.lock /requirements.txt /test-requirements.txt /doc-requirements.txt
+RUN pip-compile --resolver=backtracking --output-file /requirements.txt.lock -c /constraints.txt /requirements.txt /test-requirements.txt /doc-requirements.txt
 RUN pip install -r /requirements.txt.lock
 
 ARG CUSTOM_PIP=ipython

NOTES.rst

@@ -8,6 +8,54 @@ existing bug reports, go to https://github.com/uninett/nav/issues .
 To see an overview of upcoming release milestones and the issues they resolve,
 please go to https://github.com/uninett/nav/milestones .
 
+NAV 5.9
+=======
+
+Changed names of NAV command line programs
+------------------------------------------
+NAV has switched to a more canonical way of installing Python command line
+scripts, or "binaries".  This means that all NAV command line programs that
+previously ended with a ``.py`` extension now have been stripped of that
+extension.  Any custom cron jobs or scripts you have that may reference these
+NAV commands must be updated in order to continue working.
+
+It also means that you need to make sure your :file:`daemons.yml` configuration
+file is up-to-date after an upgrade, as well as the NAV cronjob snippets in the
+:file:`cron.d/` configuration directory.
+
+These commands are affected and no longer have a ``.py`` extension:
+
+* ``alertengine``
+* ``autoenable``
+* ``collect_active_ip``
+* ``emailreports``
+* ``logengine``
+* ``macwatch``
+* ``mailin``
+* ``maintengine``
+* ``netbiostracker``
+* ``pping``
+* ``radiusparser``
+* ``servicemon``
+* ``smsd``
+* ``snmptrapd``
+* ``sortedstats_cacher``
+* ``start_arnold``
+* ``t1000``
+
+Web security
+------------
+
+While it is only relevant for older browsers, the HTTP header
+``X-XSS-Protection`` is set to ``1; mode=block``. It does not affect browsers
+that do not support it after all.
+
+There's a new section in :file:`webfront/webfront.conf`, ``[security]``. When
+running in production with SSL/TLS turned on, there's a new flag ``needs_tls``
+that should also be toggled on. This'll turn on secure cookies (only sent over
+SSL/TLS). See also the new howto
+:doc:`Securing NAV in production </howto/securing-nav-in-production>`.
+
 NAV 5.8
 =======
 
@@ -46,7 +94,7 @@ Various vendors use the concept of "community indexing" to fetch multiple
 logical instances of MIBs.  Examples include Cisco switches, where multiple
 instances of the ``BRIDGE-MIB`` are kept, one for each active VLAN.  To access
 the switch forwarding tables of VLAN 12 with an SNMP community of ``public``,
-the community must be modified to ``public@20``.
+the community must be modified to ``public@12``.
 
 Another common example is devices that allow SNMP management of individual VRF
 instances by modifying the SNMP community.
@@ -546,7 +594,7 @@ Daemon startup privileges
 
 By accident, some of NAV's daemons have been running as the privileged ``root``
 user since NAV 4.9.0, due to changes in the process control system.  NAV 5.0.4
-introduces the :option:`privileged` option in the :file:`daemons.yml` configuration
+introduces the ``privileged`` option in the :file:`daemons.yml` configuration
 file, to signal which daemons actually need to be started with root privileges.
 
 Only :program:`snmptrapd` and :program:`pping` need root privileges on startup,
@@ -557,7 +605,7 @@ Please ensure your :file:`daemon.yml` configuration file is updated. Also, be
 aware that after upgrading to NAV 5.0.4 from any version from 4.9.0 and up, you
 may have some NAV log files that are owned by ``root``, which will cause some
 of the daemons to fail on startup. Please ensure all NAV log files are writable
-for the user defined as :option:`NAV_USER` in :file:`nav.conf`.
+for the user defined as ``NAV_USER`` in :file:`nav.conf`.
 
 
 New features

constraints.txt

@@ -0,0 +1,3 @@
+# ciscoconfparse 1.8 has a bug that prevents it from being imported on Python 3.7,
+# even though it claims compatibility with 3.7.
+ciscoconfparse<1.8.0 ; python_version < '3.8'

doc/_static/custom.css

@@ -1,19 +1,41 @@
 /* Custom css for the Sphinx theme in NAV */
 
-a { color: #1f74ad; }
-a:hover, a:focus { color: #1f74ad; }
-.alert a, .alert .alert-link { color: #1f74ad; }
-
+a,
+a:hover,
+a:focus,
+a:visited,
+.alert a,
+.alert .alert-link {
+    color: #1f74ad;
+}
+
+.wy-menu a:visited,
+.wy-menu-vertical a:visited,
+.wy-menu a:hover,
+.wy-menu-vertical a:hover {
+    color: #d9d9d9;
+}
+
+/* Show the logo on mobile exactly like on big screen */
+.wy-nav-top > a img.logo {
+    display: block;
+    margin: 0 auto;
+    height: auto;
+    width: auto;
+    border-radius: 0;
+    max-width: 100%;
+    background: transparent;
+}
 
 img {
     margin-bottom: 1em;
 }
 
 footer {
     margin-top: 2em;
+    color: #575757;
 }
 
-
 /* When people creates documentation they usually end up with a big honking list
 of h3's. This makes it very hard to separate the different sections, and adding
 this border helps a lot with that. That and I always wanted to make a css style
@@ -22,26 +44,19 @@ h3 {
     border-bottom: 1px solid lightpink;
 }
 
-/* Override the red color and background for code elements */
-code {
-    color: #2C3E50;
-    background-color: #ECF0F1;
-}
-
-
 /* Contrast for pre elements was to small. */
 pre {
-    color: #2C3E50;
+    color: #2c3e50;
+    background: #ecf0f1;
 }
 
-
 /* The following overrides the admonition colors. They all pass the WCAG 2.0
 level AA test for contrast */
 
 /* This covers the admonitions 'note', 'attention', 'hint', 'important' and 'tip' */
 .alert-info {
     color: #2a617d;
-    background-color: #D9EDF7;
+    background-color: #d9edf7;
 }
 
 /* This covers the admonitions 'warning' and 'caution' */
@@ -53,46 +68,9 @@ level AA test for contrast */
 /* This covers the admonitions 'alert' and 'danger' */
 .alert-danger {
     color: #a73a00;
-    background-color: #F2DEDE;
-}
-
-
-/* Definition list */
-dl {
-    overflow: auto;
-}
-
-dt {
-    clear: left;
-    float: left;
-    text-align: right;
-    width: 14rem;
-}
-
-dt:after {
-    content: ':'
-}
-
-dd {
-    margin-top: 0;
-    margin-left: 15rem;
-}
-
-/* Autogenerated classes use definition lists. Override for them */
-.class dt {
-    clear: none;
-    float: none;
-    text-align: initial;
-    width: auto;
-}
-
-.class dd {
-    margin-left: auto;
+    background-color: #f2dede;
 }
 
-.class dt:after { content: initial; }
-
-
 /* Highlight versionadded more */
 p.versionadded {
     background-color: lightsteelblue;
@@ -102,7 +80,7 @@ p.versionadded {
 }
 
 .guilabel {
-    background-color: #ECF0F1;
+    background-color: #ecf0f1;
     padding: 2px 4px;
     font-size: 90%;
     border-radius: 3px;