Release 1.4.0

current implementation just adds package name with the description which
is incorrect

.gitignore

@@ -94,5 +94,3 @@ ENV/
 .venv/
 
 *.tar.xz
-
-man/

Makefile

@@ -1,4 +1,4 @@
-.PHONY: architecture archive archive_directory archlinux check clean directory push tests version
+.PHONY: architecture archive archive_directory archlinux check clean directory man push tests version
 .DEFAULT_GOAL := archlinux
 
 PROJECT := ahriman
@@ -39,12 +39,15 @@ clean:
 directory: clean
 	mkdir "$(PROJECT)"
 
+man:
+	cd src &&  PYTHONPATH=. argparse-manpage --module ahriman.application.ahriman --function _parser --author "ahriman team" --project-name ahriman --author-email "" --url https://github.com/arcan1s/ahriman --output ../docs/ahriman.1
+
 mypy:
 	cd src && mypy --implicit-reexport --strict -p "$(PROJECT)" --install-types --non-interactive || true
 	cd src && mypy --implicit-reexport --strict -p "$(PROJECT)"
 
-push: archlinux
-	git add package/archlinux/PKGBUILD src/ahriman/version.py
+push: architecture man archlinux
+	git add package/archlinux/PKGBUILD src/ahriman/version.py docs/ahriman-architecture.svg docs/ahriman.1
 	git commit -m "Release $(VERSION)"
 	git tag "$(VERSION)"
 	git push

docs/ahriman.1

@@ -0,0 +1,401 @@
+.TH ahriman "1" Manual
+.SH NAME
+ahriman
+.SH SYNOPSIS
+.B ahriman
+[-h] [-a ARCHITECTURE] [-c CONFIGURATION] [--force] [-l LOCK] [--no-log] [--no-report] [--unsafe] [-v] {add,check,clean,config,init,key-import,rebuild,remove,remove-unknown,report,search,setup,sign,status,status-update,sync,update,user,web} ...
+.SH DESCRIPTION
+ArcH Linux ReposItory MANager
+.SH OPTIONS
+
+.TP
+\fB\-a\fR \fI\,ARCHITECTURE\/\fR, \fB\-\-architecture\fR \fI\,ARCHITECTURE\/\fR
+target architectures (can be used multiple times)
+
+.TP
+\fB\-c\fR \fI\,CONFIGURATION\/\fR, \fB\-\-configuration\fR \fI\,CONFIGURATION\/\fR
+configuration path
+
+.TP
+\fB\-\-force\fR
+force run, remove file lock
+
+.TP
+\fB\-l\fR \fI\,LOCK\/\fR, \fB\-\-lock\fR \fI\,LOCK\/\fR
+lock file
+
+.TP
+\fB\-\-no\-log\fR
+redirect all log messages to stderr
+
+.TP
+\fB\-\-no\-report\fR
+force disable reporting to web service
+
+.TP
+\fB\-\-unsafe\fR
+allow to run ahriman as non\-ahriman user
+
+.TP
+\fB\-v\fR, \fB\-\-version\fR
+show program's version number and exit
+
+.SS
+\fBSub-commands\fR
+.TP
+\fBahriman\fR \fI\,add\/\fR
+add package
+.TP
+\fBahriman\fR \fI\,check\/\fR
+check for updates
+.TP
+\fBahriman\fR \fI\,clean\/\fR
+clean local caches
+.TP
+\fBahriman\fR \fI\,config\/\fR
+dump configuration
+.TP
+\fBahriman\fR \fI\,init\/\fR
+create repository tree
+.TP
+\fBahriman\fR \fI\,key-import\/\fR
+import PGP key
+.TP
+\fBahriman\fR \fI\,rebuild\/\fR
+rebuild repository
+.TP
+\fBahriman\fR \fI\,remove\/\fR
+remove package
+.TP
+\fBahriman\fR \fI\,remove-unknown\/\fR
+remove unknown packages
+.TP
+\fBahriman\fR \fI\,report\/\fR
+generate report
+.TP
+\fBahriman\fR \fI\,search\/\fR
+search for package
+.TP
+\fBahriman\fR \fI\,setup\/\fR
+initial service configuration
+.TP
+\fBahriman\fR \fI\,sign\/\fR
+sign packages
+.TP
+\fBahriman\fR \fI\,status\/\fR
+get package status
+.TP
+\fBahriman\fR \fI\,status-update\/\fR
+update package status
+.TP
+\fBahriman\fR \fI\,sync\/\fR
+sync repository
+.TP
+\fBahriman\fR \fI\,update\/\fR
+update packages
+.TP
+\fBahriman\fR \fI\,user\/\fR
+manage users for web services
+.TP
+\fBahriman\fR \fI\,web\/\fR
+start web server
+.SH OPTIONS 'ahriman add'
+usage: ahriman add [-h] [--now] [--source {PackageSource.Auto,PackageSource.Archive,PackageSource.Directory,PackageSource.AUR}] [--without-dependencies] package [package ...]
+
+add package
+
+.TP
+\fBpackage\fR
+package base/name or archive path
+
+.TP
+\fB\-\-now\fR
+run update function after
+
+.TP
+\fB\-\-source\fR {PackageSource.Auto,PackageSource.Archive,PackageSource.Directory,PackageSource.AUR}
+package source
+
+.TP
+\fB\-\-without\-dependencies\fR
+do not add dependencies
+
+.SH OPTIONS 'ahriman check'
+usage: ahriman check [-h] [--no-vcs] [package ...]
+
+check for updates. Same as update \-\-dry\-run \-\-no\-manual
+
+.TP
+\fBpackage\fR
+filter check by package base
+
+.TP
+\fB\-\-no\-vcs\fR
+do not check VCS packages
+
+.SH OPTIONS 'ahriman clean'
+usage: ahriman clean [-h] [--no-build] [--no-cache] [--no-chroot] [--no-manual] [--no-packages]
+
+clear local caches
+
+
+.TP
+\fB\-\-no\-build\fR
+do not clear directory with package sources
+
+.TP
+\fB\-\-no\-cache\fR
+do not clear directory with package caches
+
+.TP
+\fB\-\-no\-chroot\fR
+do not clear build chroot
+
+.TP
+\fB\-\-no\-manual\fR
+do not clear directory with manually added packages
+
+.TP
+\fB\-\-no\-packages\fR
+do not clear directory with built packages
+
+.SH OPTIONS 'ahriman config'
+usage: ahriman config [-h]
+
+dump configuration for specified architecture
+
+
+
+.SH OPTIONS 'ahriman init'
+usage: ahriman init [-h]
+
+create empty repository tree. Optional command for auto architecture support
+
+
+
+.SH OPTIONS 'ahriman key-import'
+usage: ahriman key-import [-h] [--key-server KEY_SERVER] key
+
+import PGP key from public sources to repository user
+
+.TP
+\fBkey\fR
+PGP key to import from public server
+
+.TP
+\fB\-\-key\-server\fR \fI\,KEY_SERVER\/\fR
+key server for key import
+
+.SH OPTIONS 'ahriman rebuild'
+usage: ahriman rebuild [-h] [--depends-on DEPENDS_ON]
+
+rebuild whole repository
+
+
+.TP
+\fB\-\-depends\-on\fR \fI\,DEPENDS_ON\/\fR
+only rebuild packages that depend on specified package
+
+.SH OPTIONS 'ahriman remove'
+usage: ahriman remove [-h] package [package ...]
+
+remove package
+
+.TP
+\fBpackage\fR
+package name or base
+
+
+.SH OPTIONS 'ahriman remove-unknown'
+usage: ahriman remove-unknown [-h] [--dry-run]
+
+remove packages which are missing in AUR
+
+
+.TP
+\fB\-\-dry\-run\fR
+just perform check for packages without removal
+
+.SH OPTIONS 'ahriman report'
+usage: ahriman report [-h] [target ...]
+
+generate report
+
+.TP
+\fBtarget\fR
+target to generate report
+
+
+.SH OPTIONS 'ahriman search'
+usage: ahriman search [-h] search [search ...]
+
+search for package in AUR using API
+
+.TP
+\fBsearch\fR
+search terms, can be specified multiple times
+
+
+.SH OPTIONS 'ahriman setup'
+usage: ahriman setup [-h] [--build-command BUILD_COMMAND] [--from-configuration FROM_CONFIGURATION] [--no-multilib] --packager PACKAGER --repository REPOSITORY [--sign-key SIGN_KEY]
+                     [--sign-target {SignSettings.Packages,SignSettings.Repository}] [--web-port WEB_PORT]
+
+create initial service configuration, requires root
+
+
+.TP
+\fB\-\-build\-command\fR \fI\,BUILD_COMMAND\/\fR
+build command prefix
+
+.TP
+\fB\-\-from\-configuration\fR \fI\,FROM_CONFIGURATION\/\fR
+path to default devtools pacman configuration
+
+.TP
+\fB\-\-no\-multilib\fR
+do not add multilib repository
+
+.TP
+\fB\-\-packager\fR \fI\,PACKAGER\/\fR
+packager name and email
+
+.TP
+\fB\-\-repository\fR \fI\,REPOSITORY\/\fR
+repository name
+
+.TP
+\fB\-\-sign\-key\fR \fI\,SIGN_KEY\/\fR
+sign key id
+
+.TP
+\fB\-\-sign\-target\fR {SignSettings.Packages,SignSettings.Repository}
+sign options
+
+.TP
+\fB\-\-web\-port\fR \fI\,WEB_PORT\/\fR
+port of the web service
+
+.SH OPTIONS 'ahriman sign'
+usage: ahriman sign [-h] [package ...]
+
+(re\-)sign packages and repository database
+
+.TP
+\fBpackage\fR
+sign only specified packages
+
+
+.SH OPTIONS 'ahriman status'
+usage: ahriman status [-h] [--ahriman] [--status {BuildStatusEnum.Unknown,BuildStatusEnum.Pending,BuildStatusEnum.Building,BuildStatusEnum.Failed,BuildStatusEnum.Success}] [package ...]
+
+request status of the package
+
+.TP
+\fBpackage\fR
+filter status by package base
+
+.TP
+\fB\-\-ahriman\fR
+get service status itself
+
+.TP
+\fB\-\-status\fR {BuildStatusEnum.Unknown,BuildStatusEnum.Pending,BuildStatusEnum.Building,BuildStatusEnum.Failed,BuildStatusEnum.Success}
+filter packages by status
+
+.SH OPTIONS 'ahriman status-update'
+usage: ahriman status-update [-h] [--status {BuildStatusEnum.Unknown,BuildStatusEnum.Pending,BuildStatusEnum.Building,BuildStatusEnum.Failed,BuildStatusEnum.Success}] [--remove] [package ...]
+
+request status of the package
+
+.TP
+\fBpackage\fR
+set status for specified packages. If no packages supplied, service status will be updated
+
+.TP
+\fB\-\-status\fR {BuildStatusEnum.Unknown,BuildStatusEnum.Pending,BuildStatusEnum.Building,BuildStatusEnum.Failed,BuildStatusEnum.Success}
+new status
+
+.TP
+\fB\-\-remove\fR
+remove package status page
+
+.SH OPTIONS 'ahriman sync'
+usage: ahriman sync [-h] [target ...]
+
+sync packages to remote server
+
+.TP
+\fBtarget\fR
+target to sync
+
+
+.SH OPTIONS 'ahriman update'
+usage: ahriman update [-h] [--dry-run] [--no-aur] [--no-manual] [--no-vcs] [package ...]
+
+run updates
+
+.TP
+\fBpackage\fR
+filter check by package base
+
+.TP
+\fB\-\-dry\-run\fR
+just perform check for updates, same as check command
+
+.TP
+\fB\-\-no\-aur\fR
+do not check for AUR updates. Implies \-\-no\-vcs
+
+.TP
+\fB\-\-no\-manual\fR
+do not include manual updates
+
+.TP
+\fB\-\-no\-vcs\fR
+do not check VCS packages
+
+.SH OPTIONS 'ahriman user'
+usage: ahriman user [-h] [--as-service] [-a {UserAccess.Safe,UserAccess.Read,UserAccess.Write}] [--no-reload] [-p PASSWORD] [-r] [--secure] username
+
+manage users for web services with password and role. In case if password was not entered it will be asked interactively
+
+.TP
+\fBusername\fR
+username for web service
+
+.TP
+\fB\-\-as\-service\fR
+add user as service user
+
+.TP
+\fB\-a\fR {UserAccess.Safe,UserAccess.Read,UserAccess.Write}, \fB\-\-access\fR {UserAccess.Safe,UserAccess.Read,UserAccess.Write}
+user access level
+
+.TP
+\fB\-\-no\-reload\fR
+do not reload authentication module
+
+.TP
+\fB\-p\fR \fI\,PASSWORD\/\fR, \fB\-\-password\fR \fI\,PASSWORD\/\fR
+user password
+
+.TP
+\fB\-r\fR, \fB\-\-remove\fR
+remove user from configuration
+
+.TP
+\fB\-\-secure\fR
+set file permissions to user\-only
+
+.SH OPTIONS 'ahriman web'
+usage: ahriman web [-h]
+
+start web server
+
+.SH AUTHORS
+.B ahriman
+was written by ahriman team <>.
+.SH DISTRIBUTION
+The latest version of ahriman may be downloaded from
+.UR https://github.com/arcan1s/ahriman
+.UE

docs/architecture.md

@@ -148,6 +148,7 @@ Some features require optional dependencies to be installed:
 Web application requires the following python packages to be installed:
 
 * Core part requires `aiohttp` (application itself), `aiohttp_jinja2` and `Jinja2` (HTML generation from templates).
+* In addition, `aiohttp_debugtoolbar` is required for debug panel. Please note that this option does not work together with authorization and basically must not be used in production.
 * In addition, authorization feature requires `aiohttp_security`, `aiohttp_session` and `cryptography`.
 * In addition to base authorization dependencies, OAuth2 also requires `aioauth-client` library.
 
@@ -173,9 +174,9 @@ Package provides base jinja templates which can be overridden by settings. Vanil
 
 ## Requests and scopes
 
-Service provides optional authorization which can be turned on in settings. In order to control user access there are two levels of authorization - read-only (only GET-like requests) and write (anything).
+Service provides optional authorization which can be turned on in settings. In order to control user access there are two levels of authorization - read-only (only GET-like requests) and write (anything) which are provided by each web view directly.
 
-If this feature is configured any request except for whitelisted will be prohibited without authentication. In addition, configuration flag `auth.allow_read_only` can be used in order to allow seeing main page without authorization (this page is in default white list).
+If this feature is configured any request will be prohibited without authentication. In addition, configuration flag `auth.safe_build_status` can be used in order to allow seeing main page without authorization.
 
 For authenticated users it uses encrypted session cookies to store tokens; encryption key is generated each time at the start of the application. It also stores expiration time of the session inside.
 

docs/configuration.md

@@ -23,14 +23,12 @@ libalpm and AUR related configuration.
 Base authorization settings. `OAuth` provider requires `aioauth-client` library to be installed.
 
 * `target` - specifies authorization provider, string, optional, default `disabled`. Allowed values are `disabled`, `configuration`, `oauth`.
-* `allow_read_only` - allow requesting read only pages without authorization, boolean, required.
-* `allowed_paths` - URI paths (exact match) which can be accessed without authorization, space separated list of strings, optional.
-* `allowed_paths_groups` - URI paths prefixes which can be accessed without authorization, space separated list of strings, optional.
 * `client_id` - OAuth2 application client ID, string, required in case if `oauth` is used.
 * `client_secret` - OAuth2 application client secret key, string, required in case if `oauth` is used.
 * `max_age` - parameter which controls both cookie expiration and token expiration inside the service, integer, optional, default is 7 days.
 * `oauth_provider` - OAuth2 provider class name as is in `aioauth-client` (e.g. `GoogleClient`, `GithubClient` etc), string, required in case if `oauth` is used.
 * `oauth_scopes` - scopes list for OAuth2 provider, which will allow retrieving user email (which is used for checking user permissions), e.g. `https://www.googleapis.com/auth/userinfo.email` for `GoogleClient` or `user:email` for `GithubClient`, space separated list of strings, required in case if `oauth` is used.
+* `safe_build_status` - allow requesting status page without authorization, boolean, required.
 * `salt` - password hash salt, string, required in case if authorization enabled (automatically generated by `create-user` subcommand).
 
 ## `auth:*` groups
@@ -127,7 +125,11 @@ Group name must refer to architecture, e.g. it should be `s3:x86_64` for x86_64
 Web server settings. If any of `host`/`port` is not set, web integration will be disabled. Group name must refer to architecture, e.g. it should be `web:x86_64` for x86_64 architecture.
 
 * `address` - optional address in form `proto://host:port` (`port` can be omitted in case of default `proto` ports), will be used instead of `http://{host}:{port}` in case if set, string, optional. This option is required in case if `OAuth` provider is used.
+* `debug` - enable debug toolbar, boolean, optional, default `no`.
+* `debug_check_host` - check hosts to access debug toolbar, boolean, optional, default `no`.
+* `debug_allowed_hosts` - allowed hosts to get access to debug toolbar, space separated list of string, optional.
 * `host` - host to bind, string, optional.
+* `index_url` - full url of the repository index page, string, optional.
 * `password` - password to authorize in web service in order to update service status, string, required in case if authorization enabled.  
 * `port` - port to bind, int, optional.
 * `static_path` - path to directory with static files, string, required.

package/archlinux/PKGBUILD

@@ -1,7 +1,7 @@
 # Maintainer: Evgeniy Alekseev
 
 pkgname='ahriman'
-pkgver=1.3.0
+pkgver=1.4.0
 pkgrel=1
 pkgdesc="ArcH Linux ReposItory MANager"
 arch=('any')
@@ -15,6 +15,7 @@ optdepends=('breezy: -bzr packages support'
             'mercurial: -hg packages support'
             'python-aioauth-client: web server with OAuth2 authorization'
             'python-aiohttp: web server'
+            'python-aiohttp-debugtoolbar: web server with enabled debug panel'
             'python-aiohttp-jinja2: web server'
             'python-aiohttp-security: web server with authorization'
             'python-aiohttp-session: web server with authorization'

package/etc/ahriman.ini

@@ -10,10 +10,10 @@ root = /
 
 [auth]
 target = disabled
-allow_read_only = yes
 max_age = 604800
 oauth_provider = GoogleClient
 oauth_scopes = https://www.googleapis.com/auth/userinfo.email
+safe_build_status = yes
 
 [build]
 archbuild_flags =
@@ -51,6 +51,9 @@ command = rsync --archive --compress --partial --delete
 chunk_size = 8388608
 
 [web]
+debug = no
+debug_check_host = no
+debug_allowed_hosts =
 host = 127.0.0.1
 static_path = /usr/share/ahriman/static
 templates = /usr/share/ahriman

package/share/ahriman/build-status.jinja2

@@ -100,6 +100,12 @@
                     <li><a class="nav-link" href="https://github.com/arcan1s/ahriman/issues" title="issues tracker">report a bug</a></li>
                 </ul>
 
+                {% if index_url is not none %}
+                    <ul class="nav">
+                        <li><a class="nav-link" href="{{ index_url }}" title="repo index">repo index</a></li>
+                    </ul>
+                {% endif %}
+
                 {% if auth.enabled %}
                     {% if auth.username is none %}
                         {{ auth.control|safe }}

package/share/ahriman/build-status/package-actions-modals.jinja2

@@ -16,6 +16,7 @@
             </div>
             <div class="modal-footer">
                 <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
+                <button type="button" class="btn btn-success" data-bs-dismiss="modal" onclick="requestPackages()">Request</button>
                 <button type="button" class="btn btn-primary" data-bs-dismiss="modal" onclick="addPackages()">Add</button>
             </div>
         </div>

package/share/ahriman/build-status/package-actions-script.jinja2

@@ -34,7 +34,8 @@
                 success: function (resp) {
                     const $options = resp.map(function (pkg) {
                         const $option = document.createElement("option");
-                        $option.value = `${pkg.package} (${pkg.description})`;
+                        $option.value = pkg.package;
+                        $option.innerText = `${pkg.package} (${pkg.description})`;
                         return $option;
                     });
                     $knownPackages.empty().append($options);
@@ -79,6 +80,11 @@
         doPackageAction("/service-api/v1/add", $packages);
     }
 
+    function requestPackages() {
+        const $packages = [$package.val()]
+        doPackageAction("/service-api/v1/request", $packages);
+    }
+
     function removePackages() { doPackageAction("/service-api/v1/remove", getSelection()); }
 
     function updatePackages() { doPackageAction("/service-api/v1/add", getSelection()); }

setup.py

@@ -81,6 +81,9 @@ setup(
             "package/share/ahriman/utils/bootstrap-scripts.jinja2",
             "package/share/ahriman/utils/style.jinja2",
         ]),
+        ("share/man/man1", [
+            "docs/ahriman.1",
+        ])
     ],
 
     extras_require={
@@ -107,6 +110,7 @@ setup(
             "aiohttp",
             "aiohttp_jinja2",
             "aioauth-client",
+            "aiohttp_debugtoolbar",
             "aiohttp_session",
             "aiohttp_security",
             "cryptography",

src/ahriman/application/ahriman.py

@@ -26,6 +26,7 @@ from pathlib import Path
 from ahriman import version
 from ahriman.application import handlers
 from ahriman.models.build_status import BuildStatusEnum
+from ahriman.models.package_source import PackageSource
 from ahriman.models.sign_settings import SignSettings
 from ahriman.models.user_access import UserAccess
 
@@ -91,6 +92,8 @@ def _set_add_parser(root: SubParserAction) -> argparse.ArgumentParser:
                              formatter_class=argparse.ArgumentDefaultsHelpFormatter)
     parser.add_argument("package", help="package base/name or archive path", nargs="+")
     parser.add_argument("--now", help="run update function after", action="store_true")
+    parser.add_argument("--source", help="package source", choices=PackageSource, type=PackageSource,
+                        default=PackageSource.Auto)
     parser.add_argument("--without-dependencies", help="do not add dependencies", action="store_true")
     parser.set_defaults(handler=handlers.Add, architecture=[])
     return parser
@@ -357,6 +360,7 @@ def _set_user_parser(root: SubParserAction) -> argparse.ArgumentParser:
     parser.add_argument("--no-reload", help="do not reload authentication module", action="store_true")
     parser.add_argument("-p", "--password", help="user password")
     parser.add_argument("-r", "--remove", help="remove user from configuration", action="store_true")
+    parser.add_argument("--secure", help="set file permissions to user-only", action="store_true")
     parser.set_defaults(handler=handlers.User, architecture=[""], lock=None, no_log=True, no_report=True, unsafe=True)
     return parser
 

src/ahriman/application/application.py

@@ -29,6 +29,7 @@ from ahriman.core.repository.repository import Repository
 from ahriman.core.tree import Tree
 from ahriman.core.util import package_like
 from ahriman.models.package import Package
+from ahriman.models.package_source import PackageSource
 
 
 class Application:
@@ -96,10 +97,11 @@ class Application:
 
         return updates
 
-    def add(self, names: Iterable[str], without_dependencies: bool) -> None:
+    def add(self, names: Iterable[str], source: PackageSource, without_dependencies: bool) -> None:
         """
         add packages for the next build
         :param names: list of package bases to add
+        :param source: package source to add
         :param without_dependencies: if set, dependency check will be disabled
         """
         known_packages = self._known_packages()
@@ -122,14 +124,14 @@ class Application:
             if without_dependencies:
                 return
             dependencies = Package.dependencies(path)
-            self.add(dependencies.difference(known_packages), without_dependencies)
+            self.add(dependencies.difference(known_packages), PackageSource.AUR, without_dependencies)
 
         def process_single(src: str) -> None:
-            maybe_path = Path(src)
-            if maybe_path.is_dir():
-                add_directory(maybe_path)
-            elif maybe_path.is_file():
-                add_archive(maybe_path)
+            resolved_source = source.resolve(src)
+            if resolved_source == PackageSource.Directory:
+                add_directory(Path(src))
+            elif resolved_source == PackageSource.Archive:
+                add_archive(Path(src))
             else:
                 path = add_manual(src)
                 process_dependencies(path)

src/ahriman/application/handlers/add.py

@@ -42,7 +42,7 @@ class Add(Handler):
         :param no_report: force disable reporting
         """
         application = Application(architecture, configuration, no_report)
-        application.add(args.package, args.without_dependencies)
+        application.add(args.package, args.source, args.without_dependencies)
         if not args.now:
             return
 

src/ahriman/application/handlers/user.py

@@ -52,7 +52,7 @@ class User(Handler):
         User.clear_user(auth_configuration, user)
         if not args.remove:
             User.create_configuration(auth_configuration, user, salt, args.as_service)
-        User.write_configuration(auth_configuration)
+        User.write_configuration(auth_configuration, args.secure)
 
         if not args.no_reload:
             client = Application(architecture, configuration, no_report=False).repository.reporter
@@ -127,13 +127,15 @@ class User(Handler):
         return MUser.generate_password(salt_length)
 
     @staticmethod
-    def write_configuration(configuration: Configuration) -> None:
+    def write_configuration(configuration: Configuration, secure: bool) -> None:
         """
         write configuration file
         :param configuration: configuration instance
+        :param secure: if true then set file permissions to 0o600
         """
         if configuration.path is None:
             return  # should never happen actually
         with configuration.path.open("w") as ahriman_configuration:
             configuration.write(ahriman_configuration)
-        configuration.path.chmod(0o600)
+        if secure:
+            configuration.path.chmod(0o600)

src/ahriman/core/auth/auth.py

@@ -33,16 +33,11 @@ from ahriman.models.user_access import UserAccess
 class Auth:
     """
     helper to deal with user authorization
-    :ivar allowed_paths: URI paths which can be accessed without authorization
-    :ivar allowed_paths_groups: URI paths prefixes which can be accessed without authorization
     :ivar enabled: indicates if authorization is enabled
-    :cvar ALLOWED_PATHS: URI paths which can be accessed without authorization, predefined
-    :cvar ALLOWED_PATHS_GROUPS: URI paths prefixes which can be accessed without authorization, predefined
+    :ivar max_age: session age in seconds. It will be used for both client side and server side checks
+    :ivar safe_build_status: allow read only access to the index page
     """
 
-    ALLOWED_PATHS = {"/", "/index.html"}
-    ALLOWED_PATHS_GROUPS = {"/static", "/user-api"}
-
     def __init__(self, configuration: Configuration, provider: AuthSettings = AuthSettings.Disabled) -> None:
         """
         default constructor
@@ -51,11 +46,8 @@ class Auth:
         """
         self.logger = logging.getLogger("http")
 
-        self.allow_read_only = configuration.getboolean("auth", "allow_read_only")
-        self.allowed_paths = set(configuration.getlist("auth", "allowed_paths", fallback=[]))
-        self.allowed_paths.update(self.ALLOWED_PATHS)
-        self.allowed_paths_groups = set(configuration.getlist("auth", "allowed_paths_groups", fallback=[]))
-        self.allowed_paths_groups.update(self.ALLOWED_PATHS_GROUPS)
+        self.safe_build_status = configuration.getboolean("auth", "safe_build_status")
+
         self.enabled = provider.is_enabled
         self.max_age = configuration.getint("auth", "max_age", fallback=7 * 24 * 3600)
 
@@ -115,19 +107,6 @@ class Auth:
         del username, password
         return True
 
-    async def is_safe_request(self, uri: Optional[str], required: UserAccess) -> bool:
-        """
-        check if requested path are allowed without authorization
-        :param uri: request uri
-        :param required: required access level
-        :return: True in case if this URI can be requested without authorization and False otherwise
-        """
-        if required == UserAccess.Read and self.allow_read_only:
-            return True  # in case if read right requested and allowed in options
-        if not uri:
-            return False  # request without context is not allowed
-        return uri in self.allowed_paths or any(uri.startswith(path) for path in self.allowed_paths_groups)
-
     async def known_username(self, username: Optional[str]) -> bool:  # pylint: disable=no-self-use
         """
         check if user is known

src/ahriman/core/spawn.py

@@ -28,6 +28,7 @@ from threading import Lock, Thread
 from typing import Callable, Dict, Iterable, Tuple
 
 from ahriman.core.configuration import Configuration
+from ahriman.models.package_source import PackageSource
 
 
 class Spawn(Thread):
@@ -79,7 +80,9 @@ class Spawn(Thread):
         :param packages: packages list to add
         :param now: build packages now
         """
-        kwargs = {"now": ""} if now else {}
+        kwargs = {"source": PackageSource.AUR.value}  # avoid abusing by building non-aur packages
+        if now:
+            kwargs["now"] = ""
         self.spawn_process("add", *packages, **kwargs)
 
     def packages_remove(self, packages: Iterable[str]) -> None:

src/ahriman/models/package_source.py

@@ -0,0 +1,55 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from __future__ import annotations
+
+from enum import Enum
+from pathlib import Path
+
+from ahriman.core.util import package_like
+
+
+class PackageSource(Enum):
+    """
+    package source for addition enumeration
+    :cvar Auto: automatically determine type of the source
+    :cvar Archive: source is a package archive
+    :cvar Directory: source is a directory which contains packages
+    :cvar AUR: source is an AUR package for which it should search
+    """
+
+    Auto = "auto"
+    Archive = "archive"
+    Directory = "directory"
+    AUR = "aur"
+
+    def resolve(self, source: str) -> PackageSource:
+        """
+        resolve auto into the correct type
+        :param source: source of the package
+        :return: non-auto type of the package source
+        """
+        if self != PackageSource.Auto:
+            return self
+        maybe_path = Path(source)
+        if maybe_path.is_dir():
+            return PackageSource.Directory
+        if maybe_path.is_file() and package_like(maybe_path):
+            return PackageSource.Archive
+        return PackageSource.AUR

src/ahriman/models/user_access.py

@@ -23,9 +23,11 @@ from enum import Enum
 class UserAccess(Enum):
     """
     web user access enumeration
-    :cvar Read: user can read status page
+    :cvar Safe: user can access the page without authorization, should not be user for user configuration
+    :cvar Read: user can read the page
     :cvar Write: user can modify task and package list
     """
 
+    Safe = "safe"
     Read = "read"
     Write = "write"

src/ahriman/version.py

@@ -17,4 +17,4 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-__version__ = "1.3.0"
+__version__ = "1.4.0"

src/ahriman/web/middlewares/auth_handler.py

@@ -19,10 +19,12 @@
 #
 import aiohttp_security  # type: ignore
 import base64
+import types
 
 from aiohttp import web
 from aiohttp.web import middleware, Request
 from aiohttp.web_response import StreamResponse
+from aiohttp.web_urldispatcher import StaticResource
 from aiohttp_session import setup as setup_session  # type: ignore
 from aiohttp_session.cookie_storage import EncryptedCookieStorage  # type: ignore
 from cryptography import fernet
@@ -72,20 +74,22 @@ class AuthorizationPolicy(aiohttp_security.AbstractAuthorizationPolicy):  # type
         return await self.validator.verify_access(user.username, permission, context)
 
 
-def auth_handler(validator: Auth) -> MiddlewareType:
+def auth_handler() -> MiddlewareType:
     """
     authorization and authentication middleware
-    :param validator: authorization module instance
     :return: built middleware
     """
     @middleware
     async def handle(request: Request, handler: HandlerType) -> StreamResponse:
-        if request.method in ("GET", "HEAD", "OPTIONS"):
-            permission = UserAccess.Read
+        permission_method = getattr(handler, "get_permission", None)
+        if permission_method is not None:
+            permission = await permission_method(request)
+        elif isinstance(handler, types.MethodType):  # additional wrapper for static resources
+            handler_instance = getattr(handler, "__self__", None)
+            permission = UserAccess.Safe if isinstance(handler_instance, StaticResource) else UserAccess.Write
         else:
             permission = UserAccess.Write
-
-        if not await validator.is_safe_request(request.path, permission):
+        if permission != UserAccess.Safe:
             await aiohttp_security.check_permission(request, permission, request.path)
 
         return await handler(request)
@@ -109,6 +113,6 @@ def setup_auth(application: web.Application, validator: Auth) -> web.Application
     identity_policy = aiohttp_security.SessionIdentityPolicy()
 
     aiohttp_security.setup(application, identity_policy, authorization_policy)
-    application.middlewares.append(auth_handler(validator))
+    application.middlewares.append(auth_handler())
 
     return application

src/ahriman/web/routes.py

@@ -24,6 +24,7 @@ from ahriman.web.views.index import IndexView
 from ahriman.web.views.service.add import AddView
 from ahriman.web.views.service.reload_auth import ReloadAuthView
 from ahriman.web.views.service.remove import RemoveView
+from ahriman.web.views.service.request import RequestView
 from ahriman.web.views.service.search import SearchView
 from ahriman.web.views.status.ahriman import AhrimanView
 from ahriman.web.views.status.package import PackageView
@@ -48,6 +49,8 @@ def setup_routes(application: Application, static_path: Path) -> None:
 
         POST /service-api/v1/remove            remove existing package from repository
 
+        POST /service-api/v1/request           request to add new packages to repository
+
         GET /service-api/v1/search             search for substring in AUR
 
         POST /service-api/v1/update            update packages in repository, actually it is just alias for add
@@ -82,6 +85,8 @@ def setup_routes(application: Application, static_path: Path) -> None:
 
     application.router.add_post("/service-api/v1/remove", RemoveView)
 
+    application.router.add_post("/service-api/v1/request", RequestView)
+
     application.router.add_get("/service-api/v1/search", SearchView, allow_head=False)
 
     application.router.add_post("/service-api/v1/update", AddView)

src/ahriman/web/views/base.py

@@ -17,13 +17,16 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-from aiohttp.web import View
-from typing import Any, Dict, List, Optional
+from __future__ import annotations
+
+from aiohttp.web import Request, View
+from typing import Any, Dict, List, Optional, Type
 
 from ahriman.core.auth.auth import Auth
 from ahriman.core.configuration import Configuration
 from ahriman.core.spawn import Spawn
 from ahriman.core.status.watcher import Watcher
+from ahriman.models.user_access import UserAccess
 
 
 class BaseView(View):
@@ -63,6 +66,16 @@ class BaseView(View):
         validator: Auth = self.request.app["validator"]
         return validator
 
+    @classmethod
+    async def get_permission(cls: Type[BaseView], request: Request) -> UserAccess:
+        """
+        retrieve user permission from the request
+        :param request: request object
+        :return: extracted permission
+        """
+        permission: UserAccess = getattr(cls, f"{request.method.upper()}_PERMISSION", UserAccess.Write)
+        return permission
+
     async def extract_data(self, list_keys: Optional[List[str]] = None) -> Dict[str, Any]:
         """
         extract json data from either json or form data

src/ahriman/web/views/index.py

@@ -24,12 +24,15 @@ from typing import Any, Dict
 from ahriman import version
 from ahriman.core.auth.helpers import authorized_userid
 from ahriman.core.util import pretty_datetime
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class IndexView(BaseView):
     """
     root view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
 
     It uses jinja2 templates for report generation, the following variables are allowed:
 
@@ -39,6 +42,7 @@ class IndexView(BaseView):
                    * control - HTML to insert for login control, HTML string, required
                    * enabled - whether authorization is enabled by configuration or not, boolean, required
                    * username - authenticated username if any, string, null means not authenticated
+        index_url - url to the repository index, string, optional
         packages - sorted list of packages properties, required
                    * base, string
                    * depends, sorted list of strings
@@ -58,6 +62,8 @@ class IndexView(BaseView):
         version - ahriman version, string, required
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Safe
+
     @aiohttp_jinja2.template("build-status.jinja2")
     async def get(self) -> Dict[str, Any]:
         """
@@ -87,8 +93,9 @@ class IndexView(BaseView):
 
         # auth block
         auth_username = await authorized_userid(self.request)
+        authenticated = not self.validator.enabled or self.validator.safe_build_status or auth_username is not None
         auth = {
-            "authenticated": not self.validator.enabled or self.validator.allow_read_only or auth_username is not None,
+            "authenticated": authenticated,
             "control": self.validator.auth_control,
             "enabled": self.validator.enabled,
             "username": auth_username,
@@ -97,6 +104,7 @@ class IndexView(BaseView):
         return {
             "architecture": self.service.architecture,
             "auth": auth,
+            "index_url": self.configuration.get("web", "index_url", fallback=None),
             "packages": packages,
             "repository": self.service.repository.name,
             "service": service,

src/ahriman/web/views/service/add.py

@@ -19,22 +19,25 @@
 #
 from aiohttp.web import HTTPFound, Response, json_response
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class AddView(BaseView):
     """
     add package web view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Write
+
     async def post(self) -> Response:
         """
         add new package
 
         JSON body must be supplied, the following model is used:
         {
-            "packages": "ahriman",   # either list of packages or package name as in AUR
-            "build_now": true       # optional flag which runs build
+            "packages": "ahriman"   # either list of packages or package name as in AUR
         }
 
         :return: redirect to main page on success
@@ -42,11 +45,10 @@ class AddView(BaseView):
         data = await self.extract_data(["packages"])
 
         try:
-            now = data.get("build_now", True)
             packages = data["packages"]
         except Exception as e:
             return json_response(data=str(e), status=400)
 
-        self.spawner.packages_add(packages, now)
+        self.spawner.packages_add(packages, now=True)
 
-        return HTTPFound("/")
+        raise HTTPFound("/")

src/ahriman/web/views/service/reload_auth.py

@@ -17,18 +17,21 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-from aiohttp.web import Response
-from aiohttp.web_exceptions import HTTPNoContent
+from aiohttp.web import HTTPNoContent, Response
 
 from ahriman.core.auth.auth import Auth
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class ReloadAuthView(BaseView):
     """
     reload authentication module web view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Write
+
     async def post(self) -> Response:
         """
         reload authentication module. No parameters supported here
@@ -45,4 +48,4 @@ class ReloadAuthView(BaseView):
             self.request.app.logger.warning("could not update authentication module validator", exc_info=True)
             raise
 
-        return HTTPNoContent()
+        raise HTTPNoContent()

src/ahriman/web/views/service/remove.py

@@ -19,14 +19,18 @@
 #
 from aiohttp.web import HTTPFound, Response, json_response
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class RemoveView(BaseView):
     """
     remove package web view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Write
+
     async def post(self) -> Response:
         """
         remove existing packages
@@ -47,4 +51,4 @@ class RemoveView(BaseView):
 
         self.spawner.packages_remove(packages)
 
-        return HTTPFound("/")
+        raise HTTPFound("/")

src/ahriman/web/views/service/request.py

@@ -0,0 +1,54 @@
+#
+# Copyright (c) 2021 ahriman team.
+#
+# This file is part of ahriman
+# (see https://github.com/arcan1s/ahriman).
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+from aiohttp.web import HTTPFound, Response, json_response
+
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.base import BaseView
+
+
+class RequestView(BaseView):
+    """
+    request package web view. It is actually the same as AddView, but without now
+    :cvar POST_PERMISSION: post permissions of self
+    """
+
+    POST_PERMISSION = UserAccess.Read
+
+    async def post(self) -> Response:
+        """
+        request to add new package
+
+        JSON body must be supplied, the following model is used:
+        {
+            "packages": "ahriman"   # either list of packages or package name as in AUR
+        }
+
+        :return: redirect to main page on success
+        """
+        data = await self.extract_data(["packages"])
+
+        try:
+            packages = data["packages"]
+        except Exception as e:
+            return json_response(data=str(e), status=400)
+
+        self.spawner.packages_add(packages, now=False)
+
+        raise HTTPFound("/")

src/ahriman/web/views/service/search.py

@@ -22,14 +22,19 @@ import aur  # type: ignore
 from aiohttp.web import Response, json_response
 from typing import Callable, Iterator
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class SearchView(BaseView):
     """
     AUR search web view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+
     async def get(self) -> Response:
         """
         search packages in AUR

src/ahriman/web/views/status/ahriman.py

@@ -20,14 +20,21 @@
 from aiohttp.web import HTTPNoContent, Response, json_response
 
 from ahriman.models.build_status import BuildStatusEnum
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class AhrimanView(BaseView):
     """
     service status web view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+    POST_PERMISSION = UserAccess.Write
+
     async def get(self) -> Response:
         """
         get current service status
@@ -55,4 +62,4 @@ class AhrimanView(BaseView):
 
         self.service.update_self(status)
 
-        return HTTPNoContent()
+        raise HTTPNoContent()

src/ahriman/web/views/status/package.py

@@ -22,14 +22,22 @@ from aiohttp.web import HTTPNoContent, HTTPNotFound, Response, json_response
 from ahriman.core.exceptions import UnknownPackage
 from ahriman.models.build_status import BuildStatusEnum
 from ahriman.models.package import Package
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class PackageView(BaseView):
     """
     package base specific web view
+    :cvar DELETE_PERMISSION: delete permissions of self
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    DELETE_PERMISSION = POST_PERMISSION = UserAccess.Write
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+
     async def get(self) -> Response:
         """
         get current package base status
@@ -58,7 +66,7 @@ class PackageView(BaseView):
         base = self.request.match_info["package"]
         self.service.remove(base)
 
-        return HTTPNoContent()
+        raise HTTPNoContent()
 
     async def post(self) -> Response:
         """
@@ -87,4 +95,4 @@ class PackageView(BaseView):
         except UnknownPackage:
             return json_response(data=f"Package {base} is unknown, but no package body set", status=400)
 
-        return HTTPNoContent()
+        raise HTTPNoContent()

src/ahriman/web/views/status/packages.py

@@ -19,14 +19,21 @@
 #
 from aiohttp.web import HTTPNoContent, Response, json_response
 
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class PackagesView(BaseView):
     """
     global watcher view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+    POST_PERMISSION = UserAccess.Write
+
     async def get(self) -> Response:
         """
         get current packages status
@@ -47,4 +54,4 @@ class PackagesView(BaseView):
         """
         self.service.load()
 
-        return HTTPNoContent()
+        raise HTTPNoContent()

src/ahriman/web/views/status/status.py

@@ -22,14 +22,19 @@ from aiohttp.web import Response, json_response
 from ahriman import version
 from ahriman.models.counters import Counters
 from ahriman.models.internal_status import InternalStatus
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class StatusView(BaseView):
     """
     web service status web view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar HEAD_PERMISSION: head permissions of self
     """
 
+    GET_PERMISSION = HEAD_PERMISSION = UserAccess.Read
+
     async def get(self) -> Response:
         """
         get current service status

src/ahriman/web/views/user/login.py

@@ -20,6 +20,7 @@
 from aiohttp.web import HTTPFound, HTTPMethodNotAllowed, HTTPUnauthorized, Response
 
 from ahriman.core.auth.helpers import remember
+from ahriman.models.user_access import UserAccess
 from ahriman.models.user_identity import UserIdentity
 from ahriman.web.views.base import BaseView
 
@@ -27,8 +28,12 @@ from ahriman.web.views.base import BaseView
 class LoginView(BaseView):
     """
     login endpoint view
+    :cvar GET_PERMISSION: get permissions of self
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    GET_PERMISSION = POST_PERMISSION = UserAccess.Safe
+
     async def get(self) -> Response:
         """
         OAuth2 response handler
@@ -46,7 +51,7 @@ class LoginView(BaseView):
             raise HTTPMethodNotAllowed(self.request.method, ["POST"])
 
         if not code:
-            return HTTPFound(oauth_provider.get_oauth_url())
+            raise HTTPFound(oauth_provider.get_oauth_url())
 
         response = HTTPFound("/")
         username = await oauth_provider.get_oauth_username(code)

src/ahriman/web/views/user/logout.py

@@ -20,14 +20,18 @@
 from aiohttp.web import HTTPFound, Response
 
 from ahriman.core.auth.helpers import check_authorized, forget
+from ahriman.models.user_access import UserAccess
 from ahriman.web.views.base import BaseView
 
 
 class LogoutView(BaseView):
     """
     logout endpoint view
+    :cvar POST_PERMISSION: post permissions of self
     """
 
+    POST_PERMISSION = UserAccess.Safe
+
     async def post(self) -> Response:
         """
         logout user from the service. No parameters supported here

src/ahriman/web/web.py

@@ -99,6 +99,14 @@ def setup_service(architecture: str, configuration: Configuration, spawner: Spaw
     application.logger.info("setup process spawner")
     application["spawn"] = spawner
 
+    application.logger.info("setup debug panel")
+    debug_enabled = configuration.getboolean("web", "debug", fallback=False)
+    if debug_enabled:
+        import aiohttp_debugtoolbar  # type: ignore
+        aiohttp_debugtoolbar.setup(application,
+                                   hosts=configuration.getlist("web", "debug_allowed_hosts", fallback=[]),
+                                   check_host=configuration.getboolean("web", "debug_check_host", fallback=False))
+
     application.logger.info("setup authorization")
     validator = application["validator"] = Auth.load(configuration)
     if validator.enabled:

tests/ahriman/application/handlers/test_handler_add.py

@@ -4,6 +4,7 @@ from pytest_mock import MockerFixture
 
 from ahriman.application.handlers import Add
 from ahriman.core.configuration import Configuration
+from ahriman.models.package_source import PackageSource
 
 
 def _default_args(args: argparse.Namespace) -> argparse.Namespace:
@@ -14,6 +15,7 @@ def _default_args(args: argparse.Namespace) -> argparse.Namespace:
     """
     args.package = []
     args.now = False
+    args.source = PackageSource.Auto
     args.without_dependencies = False
     return args
 

tests/ahriman/application/handlers/test_handler_user.py

@@ -22,6 +22,7 @@ def _default_args(args: argparse.Namespace) -> argparse.Namespace:
     args.access = UserAccess.Read
     args.as_service = False
     args.no_reload = False
+    args.secure = False
     args.remove = False
     return args
 
@@ -227,11 +228,23 @@ def test_write_configuration(configuration: Configuration, mocker: MockerFixture
     write_mock = mocker.patch("ahriman.core.configuration.Configuration.write")
     chmod_mock = mocker.patch("pathlib.Path.chmod")
 
-    User.write_configuration(configuration)
+    User.write_configuration(configuration, secure=True)
     write_mock.assert_called_once()
     chmod_mock.assert_called_once()
 
 
+def test_write_configuration_insecure(configuration: Configuration, mocker: MockerFixture) -> None:
+    """
+    must write configuration without setting file permissions
+    """
+    mocker.patch("pathlib.Path.open")
+    mocker.patch("ahriman.core.configuration.Configuration.write")
+    chmod_mock = mocker.patch("pathlib.Path.chmod")
+
+    User.write_configuration(configuration, secure=False)
+    chmod_mock.assert_not_called()
+
+
 def test_write_configuration_not_loaded(configuration: Configuration, mocker: MockerFixture) -> None:
     """
     must do nothing in case if configuration is not loaded
@@ -241,6 +254,6 @@ def test_write_configuration_not_loaded(configuration: Configuration, mocker: Mo
     write_mock = mocker.patch("ahriman.core.configuration.Configuration.write")
     chmod_mock = mocker.patch("pathlib.Path.chmod")
 
-    User.write_configuration(configuration)
+    User.write_configuration(configuration, secure=True)
     write_mock.assert_not_called()
     chmod_mock.assert_not_called()

tests/ahriman/application/test_application.py

@@ -6,6 +6,7 @@ from unittest import mock
 from ahriman.application.application import Application
 from ahriman.core.tree import Leaf, Tree
 from ahriman.models.package import Package
+from ahriman.models.package_source import PackageSource
 
 
 def test_finalize(application: Application, mocker: MockerFixture) -> None:
@@ -108,12 +109,11 @@ def test_add_directory(application: Application, package_ahriman: Package, mocke
     must add packages from directory
     """
     mocker.patch("ahriman.application.application.Application._known_packages", return_value=set())
-    mocker.patch("pathlib.Path.is_dir", return_value=True)
     iterdir_mock = mocker.patch("pathlib.Path.iterdir",
                                 return_value=[package.filepath for package in package_ahriman.packages.values()])
     move_mock = mocker.patch("shutil.move")
 
-    application.add([package_ahriman.base], False)
+    application.add([package_ahriman.base], PackageSource.Directory, False)
     iterdir_mock.assert_called_once()
     move_mock.assert_called_once()
 
@@ -126,7 +126,7 @@ def test_add_manual(application: Application, package_ahriman: Package, mocker:
     mocker.patch("ahriman.models.package.Package.load", return_value=package_ahriman)
     fetch_mock = mocker.patch("ahriman.core.build_tools.task.Task.fetch")
 
-    application.add([package_ahriman.base], True)
+    application.add([package_ahriman.base], PackageSource.AUR, True)
     fetch_mock.assert_called_once()
 
 
@@ -140,7 +140,7 @@ def test_add_manual_with_dependencies(application: Application, package_ahriman:
     mocker.patch("ahriman.core.build_tools.task.Task.fetch")
     dependencies_mock = mocker.patch("ahriman.models.package.Package.dependencies")
 
-    application.add([package_ahriman.base], False)
+    application.add([package_ahriman.base], PackageSource.AUR, False)
     dependencies_mock.assert_called_once()
 
 
@@ -149,10 +149,9 @@ def test_add_package(application: Application, package_ahriman: Package, mocker:
     must add package from archive
     """
     mocker.patch("ahriman.application.application.Application._known_packages", return_value=set())
-    mocker.patch("pathlib.Path.is_file", return_value=True)
     move_mock = mocker.patch("shutil.move")
 
-    application.add([package_ahriman.base], False)
+    application.add([package_ahriman.base], PackageSource.Archive, False)
     move_mock.assert_called_once()
 
 

tests/ahriman/core/auth/test_auth.py

@@ -109,40 +109,6 @@ async def test_check_credentials(auth: Auth, user: User) -> None:
     assert await auth.check_credentials(None, None)
 
 
-async def test_is_safe_request(auth: Auth) -> None:
-    """
-    must validate safe request
-    """
-    # login and logout are always safe
-    assert await auth.is_safe_request("/user-api/v1/login", UserAccess.Write)
-    assert await auth.is_safe_request("/user-api/v1/logout", UserAccess.Write)
-
-    auth.allowed_paths.add("/safe")
-    auth.allowed_paths_groups.add("/unsafe/safe")
-
-    assert await auth.is_safe_request("/safe", UserAccess.Write)
-    assert not await auth.is_safe_request("/unsafe", UserAccess.Write)
-    assert await auth.is_safe_request("/unsafe/safe", UserAccess.Write)
-    assert await auth.is_safe_request("/unsafe/safe/suffix", UserAccess.Write)
-
-
-async def test_is_safe_request_empty(auth: Auth) -> None:
-    """
-    must not allow requests without path
-    """
-    assert not await auth.is_safe_request(None, UserAccess.Read)
-    assert not await auth.is_safe_request("", UserAccess.Read)
-
-
-async def test_is_safe_request_read_only(auth: Auth) -> None:
-    """
-    must allow read-only requests if it is set in settings
-    """
-    assert await auth.is_safe_request("/", UserAccess.Read)
-    auth.allow_read_only = True
-    assert await auth.is_safe_request("/unsafe", UserAccess.Read)
-
-
 async def test_known_username(auth: Auth, user: User) -> None:
     """
     must allow any username

tests/ahriman/core/test_spawn.py

@@ -42,7 +42,7 @@ def test_packages_add(spawner: Spawn, mocker: MockerFixture) -> None:
     """
     spawn_mock = mocker.patch("ahriman.core.spawn.Spawn.spawn_process")
     spawner.packages_add(["ahriman", "linux"], now=False)
-    spawn_mock.assert_called_with("add", "ahriman", "linux")
+    spawn_mock.assert_called_with("add", "ahriman", "linux", source="aur")
 
 
 def test_packages_add_with_build(spawner: Spawn, mocker: MockerFixture) -> None:
@@ -51,7 +51,7 @@ def test_packages_add_with_build(spawner: Spawn, mocker: MockerFixture) -> None:
     """
     spawn_mock = mocker.patch("ahriman.core.spawn.Spawn.spawn_process")
     spawner.packages_add(["ahriman", "linux"], now=True)
-    spawn_mock.assert_called_with("add", "ahriman", "linux", now="")
+    spawn_mock.assert_called_with("add", "ahriman", "linux", source="aur", now="")
 
 
 def test_packages_remove(spawner: Spawn, mocker: MockerFixture) -> None:

tests/ahriman/models/test_package_source.py

@@ -0,0 +1,47 @@
+from pytest_mock import MockerFixture
+
+from ahriman.models.package_source import PackageSource
+
+
+def test_resolve_non_auto() -> None:
+    """
+    must resolve non auto type to itself
+    """
+    for source in filter(lambda src: src != PackageSource.Auto, PackageSource):
+        assert source.resolve("") == source
+
+
+def test_resolve_archive(mocker: MockerFixture) -> None:
+    """
+    must resolve auto type into the archive
+    """
+    mocker.patch("pathlib.Path.is_dir", return_value=False)
+    mocker.patch("pathlib.Path.is_file", return_value=True)
+    assert PackageSource.Auto.resolve("linux-5.14.2.arch1-2-x86_64.pkg.tar.zst") == PackageSource.Archive
+
+
+def test_resolve_directory(mocker: MockerFixture) -> None:
+    """
+    must resolve auto type into the directory
+    """
+    mocker.patch("pathlib.Path.is_dir", return_value=True)
+    mocker.patch("pathlib.Path.is_file", return_value=False)
+    assert PackageSource.Auto.resolve("path") == PackageSource.Directory
+
+
+def test_resolve_aur(mocker: MockerFixture) -> None:
+    """
+    must resolve auto type into the AUR package
+    """
+    mocker.patch("pathlib.Path.is_dir", return_value=False)
+    mocker.patch("pathlib.Path.is_file", return_value=False)
+    assert PackageSource.Auto.resolve("package") == PackageSource.AUR
+
+
+def test_resolve_aur_not_package_like(mocker: MockerFixture) -> None:
+    """
+    must resolve auto type into the AUR package if it is file, but does not look like a package archive
+    """
+    mocker.patch("pathlib.Path.is_dir", return_value=False)
+    mocker.patch("pathlib.Path.is_file", return_value=True)
+    assert PackageSource.Auto.resolve("package") == PackageSource.AUR

tests/ahriman/web/conftest.py

@@ -64,3 +64,20 @@ def application_with_auth(configuration: Configuration, user: User, spawner: Spa
     application["validator"]._users[generated.username] = generated
 
     return application
+
+
+@pytest.fixture
+def application_with_debug(configuration: Configuration, user: User, spawner: Spawn,
+                           mocker: MockerFixture) -> web.Application:
+    """
+    application fixture with debug enabled
+    :param configuration: configuration fixture
+    :param user: user descriptor fixture
+    :param spawner: spawner fixture
+    :param mocker: mocker object
+    :return: application test instance
+    """
+    configuration.set_option("web", "debug", "yes")
+    mocker.patch.object(ahriman.core.auth.helpers, "_has_aiohttp_security", False)
+    mocker.patch("pathlib.Path.mkdir")
+    return setup_service("x86_64", configuration, spawner)

tests/ahriman/web/middlewares/test_auth_handler.py

@@ -43,60 +43,74 @@ async def test_permits(authorization_policy: AuthorizationPolicy, user: User) ->
     assert not await authorization_policy.permits(user.username, user.access, "/endpoint")
 
 
-async def test_auth_handler_api(auth: Auth, mocker: MockerFixture) -> None:
+async def test_auth_handler_api(mocker: MockerFixture) -> None:
     """
     must ask for status permission for api calls
     """
     aiohttp_request = pytest.helpers.request("", "/status-api", "GET")
     request_handler = AsyncMock()
-    mocker.patch("ahriman.core.auth.auth.Auth.is_safe_request", return_value=False)
+    request_handler.get_permission.return_value = UserAccess.Read
     check_permission_mock = mocker.patch("aiohttp_security.check_permission")
 
-    handler = auth_handler(auth)
+    handler = auth_handler()
     await handler(aiohttp_request, request_handler)
     check_permission_mock.assert_called_with(aiohttp_request, UserAccess.Read, aiohttp_request.path)
 
 
-async def test_auth_handler_api_post(auth: Auth, mocker: MockerFixture) -> None:
+async def test_auth_handler_api_no_method(mocker: MockerFixture) -> None:
+    """
+    must ask for write permission if handler does not have get_permission method
+    """
+    aiohttp_request = pytest.helpers.request("", "/status-api", "GET")
+    request_handler = AsyncMock()
+    request_handler.get_permission = None
+    check_permission_mock = mocker.patch("aiohttp_security.check_permission")
+
+    handler = auth_handler()
+    await handler(aiohttp_request, request_handler)
+    check_permission_mock.assert_called_with(aiohttp_request, UserAccess.Write, aiohttp_request.path)
+
+
+async def test_auth_handler_api_post(mocker: MockerFixture) -> None:
     """
     must ask for status permission for api calls with POST
     """
     aiohttp_request = pytest.helpers.request("", "/status-api", "POST")
     request_handler = AsyncMock()
-    mocker.patch("ahriman.core.auth.auth.Auth.is_safe_request", return_value=False)
+    request_handler.get_permission.return_value = UserAccess.Write
     check_permission_mock = mocker.patch("aiohttp_security.check_permission")
 
-    handler = auth_handler(auth)
+    handler = auth_handler()
     await handler(aiohttp_request, request_handler)
     check_permission_mock.assert_called_with(aiohttp_request, UserAccess.Write, aiohttp_request.path)
 
 
-async def test_auth_handler_read(auth: Auth, mocker: MockerFixture) -> None:
+async def test_auth_handler_read(mocker: MockerFixture) -> None:
     """
     must ask for read permission for api calls with GET
     """
     for method in ("GET", "HEAD", "OPTIONS"):
         aiohttp_request = pytest.helpers.request("", "", method)
         request_handler = AsyncMock()
-        mocker.patch("ahriman.core.auth.auth.Auth.is_safe_request", return_value=False)
+        request_handler.get_permission.return_value = UserAccess.Read
         check_permission_mock = mocker.patch("aiohttp_security.check_permission")
 
-        handler = auth_handler(auth)
+        handler = auth_handler()
         await handler(aiohttp_request, request_handler)
         check_permission_mock.assert_called_with(aiohttp_request, UserAccess.Read, aiohttp_request.path)
 
 
-async def test_auth_handler_write(auth: Auth, mocker: MockerFixture) -> None:
+async def test_auth_handler_write(mocker: MockerFixture) -> None:
     """
     must ask for read permission for api calls with POST
     """
     for method in ("CONNECT", "DELETE", "PATCH", "POST", "PUT", "TRACE"):
         aiohttp_request = pytest.helpers.request("", "", method)
         request_handler = AsyncMock()
-        mocker.patch("ahriman.core.auth.auth.Auth.is_safe_request", return_value=False)
+        request_handler.get_permission.return_value = UserAccess.Write
         check_permission_mock = mocker.patch("aiohttp_security.check_permission")
 
-        handler = auth_handler(auth)
+        handler = auth_handler()
         await handler(aiohttp_request, request_handler)
         check_permission_mock.assert_called_with(aiohttp_request, UserAccess.Write, aiohttp_request.path)
 

tests/ahriman/web/test_web.py

@@ -45,7 +45,7 @@ def test_run(application: web.Application, mocker: MockerFixture) -> None:
 
 def test_run_with_auth(application_with_auth: web.Application, mocker: MockerFixture) -> None:
     """
-    must run application
+    must run application with enabled authorization
     """
     port = 8080
     application_with_auth["configuration"].set_option("web", "port", str(port))
@@ -54,3 +54,16 @@ def test_run_with_auth(application_with_auth: web.Application, mocker: MockerFix
     run_server(application_with_auth)
     run_application_mock.assert_called_with(application_with_auth, host="127.0.0.1", port=port,
                                             handle_signals=False, access_log=pytest.helpers.anyvar(int))
+
+
+def test_run_with_debug(application_with_debug: web.Application, mocker: MockerFixture) -> None:
+    """
+    must run application with enabled debug panel
+    """
+    port = 8080
+    application_with_debug["configuration"].set_option("web", "port", str(port))
+    run_application_mock = mocker.patch("aiohttp.web.run_app")
+
+    run_server(application_with_debug)
+    run_application_mock.assert_called_with(application_with_debug, host="127.0.0.1", port=port,
+                                            handle_signals=False, access_log=pytest.helpers.anyvar(int))

tests/ahriman/web/views/service/test_views_service_add.py

@@ -1,6 +1,20 @@
+import pytest
+
 from aiohttp.test_utils import TestClient
 from pytest_mock import MockerFixture
 
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.service.add import AddView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("POST",):
+        request = pytest.helpers.request("", "", method)
+        assert await AddView.get_permission(request) == UserAccess.Write
+
 
 async def test_post(client: TestClient, mocker: MockerFixture) -> None:
     """
@@ -10,18 +24,7 @@ async def test_post(client: TestClient, mocker: MockerFixture) -> None:
     response = await client.post("/service-api/v1/add", json={"packages": ["ahriman"]})
 
     assert response.ok
-    add_mock.assert_called_with(["ahriman"], True)
-
-
-async def test_post_now(client: TestClient, mocker: MockerFixture) -> None:
-    """
-    must call post and run build
-    """
-    add_mock = mocker.patch("ahriman.core.spawn.Spawn.packages_add")
-    response = await client.post("/service-api/v1/add", json={"packages": ["ahriman"], "build_now": False})
-
-    assert response.ok
-    add_mock.assert_called_with(["ahriman"], False)
+    add_mock.assert_called_with(["ahriman"], now=True)
 
 
 async def test_post_exception(client: TestClient, mocker: MockerFixture) -> None:
@@ -43,4 +46,4 @@ async def test_post_update(client: TestClient, mocker: MockerFixture) -> None:
     response = await client.post("/service-api/v1/update", json={"packages": ["ahriman"]})
 
     assert response.ok
-    add_mock.assert_called_with(["ahriman"], True)
+    add_mock.assert_called_with(["ahriman"], now=True)

tests/ahriman/web/views/service/test_views_service_reload_auth.py

@@ -1,6 +1,20 @@
+import pytest
+
 from aiohttp.test_utils import TestClient
 from pytest_mock import MockerFixture
 
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.service.reload_auth import ReloadAuthView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("POST",):
+        request = pytest.helpers.request("", "", method)
+        assert await ReloadAuthView.get_permission(request) == UserAccess.Write
+
 
 async def test_post(client_with_auth: TestClient, mocker: MockerFixture) -> None:
     """

tests/ahriman/web/views/service/test_views_service_remove.py

@@ -1,6 +1,20 @@
+import pytest
+
 from aiohttp.test_utils import TestClient
 from pytest_mock import MockerFixture
 
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.service.remove import RemoveView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("POST",):
+        request = pytest.helpers.request("", "", method)
+        assert await RemoveView.get_permission(request) == UserAccess.Write
+
 
 async def test_post(client: TestClient, mocker: MockerFixture) -> None:
     """

tests/ahriman/web/views/service/test_views_service_request.py

@@ -0,0 +1,38 @@
+import pytest
+
+from aiohttp.test_utils import TestClient
+from pytest_mock import MockerFixture
+
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.service.request import RequestView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("POST",):
+        request = pytest.helpers.request("", "", method)
+        assert await RequestView.get_permission(request) == UserAccess.Read
+
+
+async def test_post(client: TestClient, mocker: MockerFixture) -> None:
+    """
+    must call post request correctly
+    """
+    add_mock = mocker.patch("ahriman.core.spawn.Spawn.packages_add")
+    response = await client.post("/service-api/v1/request", json={"packages": ["ahriman"]})
+
+    assert response.ok
+    add_mock.assert_called_with(["ahriman"], now=False)
+
+
+async def test_post_exception(client: TestClient, mocker: MockerFixture) -> None:
+    """
+    must raise exception on missing packages payload
+    """
+    add_mock = mocker.patch("ahriman.core.spawn.Spawn.packages_add")
+    response = await client.post("/service-api/v1/request")
+
+    assert response.status == 400
+    add_mock.assert_not_called()

tests/ahriman/web/views/service/test_views_service_search.py

@@ -1,8 +1,21 @@
 import aur
+import pytest
 
 from aiohttp.test_utils import TestClient
 from pytest_mock import MockerFixture
 
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.service.search import SearchView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("GET", "HEAD"):
+        request = pytest.helpers.request("", "", method)
+        assert await SearchView.get_permission(request) == UserAccess.Read
+
 
 async def test_get(client: TestClient, aur_package_ahriman: aur.Package, mocker: MockerFixture) -> None:
     """

tests/ahriman/web/views/status/test_views_status_ahriman.py

@@ -1,7 +1,23 @@
+import pytest
+
 from aiohttp.test_utils import TestClient
 from pytest_mock import MockerFixture
 
 from ahriman.models.build_status import BuildStatus, BuildStatusEnum
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.status.ahriman import AhrimanView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("GET", "HEAD"):
+        request = pytest.helpers.request("", "", method)
+        assert await AhrimanView.get_permission(request) == UserAccess.Read
+    for method in ("POST",):
+        request = pytest.helpers.request("", "", method)
+        assert await AhrimanView.get_permission(request) == UserAccess.Write
 
 
 async def test_get(client: TestClient) -> None:

tests/ahriman/web/views/status/test_views_status_package.py

@@ -1,7 +1,23 @@
+import pytest
+
 from pytest_aiohttp import TestClient
 
 from ahriman.models.build_status import BuildStatus, BuildStatusEnum
 from ahriman.models.package import Package
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.status.package import PackageView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("GET", "HEAD"):
+        request = pytest.helpers.request("", "", method)
+        assert await PackageView.get_permission(request) == UserAccess.Read
+    for method in ("DELETE", "POST"):
+        request = pytest.helpers.request("", "", method)
+        assert await PackageView.get_permission(request) == UserAccess.Write
 
 
 async def test_get(client: TestClient, package_ahriman: Package, package_python_schedule: Package) -> None:

tests/ahriman/web/views/status/test_views_status_packages.py

@@ -1,8 +1,24 @@
+import pytest
+
 from pytest_aiohttp import TestClient
 from pytest_mock import MockerFixture
 
 from ahriman.models.build_status import BuildStatusEnum
 from ahriman.models.package import Package
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.status.packages import PackagesView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("GET", "HEAD"):
+        request = pytest.helpers.request("", "", method)
+        assert await PackagesView.get_permission(request) == UserAccess.Read
+    for method in ("POST",):
+        request = pytest.helpers.request("", "", method)
+        assert await PackagesView.get_permission(request) == UserAccess.Write
 
 
 async def test_get(client: TestClient, package_ahriman: Package, package_python_schedule: Package) -> None:

tests/ahriman/web/views/status/test_views_status_status.py

@@ -1,9 +1,22 @@
+import pytest
+
 from pytest_aiohttp import TestClient
 
 import ahriman.version as version
 
 from ahriman.models.build_status import BuildStatusEnum
 from ahriman.models.package import Package
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.status.status import StatusView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("GET", "HEAD"):
+        request = pytest.helpers.request("", "", method)
+        assert await StatusView.get_permission(request) == UserAccess.Read
 
 
 async def test_get(client: TestClient, package_ahriman: Package) -> None:

tests/ahriman/web/views/test_views_base.py

@@ -33,6 +33,16 @@ def test_validator(base: BaseView) -> None:
     assert base.validator
 
 
+async def test_get_permission(base: BaseView) -> None:
+    """
+    must search for permission attribute in class
+    """
+    for method in ("DELETE", "GET", "HEAD", "POST"):
+        request = pytest.helpers.request(base.request.app, "", method)
+        setattr(BaseView, f"{method.upper()}_PERMISSION", "permission")
+        assert await base.get_permission(request) == "permission"
+
+
 async def test_extract_data_json(base: BaseView) -> None:
     """
     must parse and return json

tests/ahriman/web/views/test_views_index.py

@@ -1,5 +1,19 @@
+import pytest
+
 from pytest_aiohttp import TestClient
 
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.index import IndexView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("GET", "HEAD"):
+        request = pytest.helpers.request("", "", method)
+        assert await IndexView.get_permission(request) == UserAccess.Safe
+
 
 async def test_get(client_with_auth: TestClient) -> None:
     """
@@ -34,3 +48,11 @@ async def test_get_static(client: TestClient) -> None:
     """
     response = await client.get("/static/favicon.ico")
     assert response.ok
+
+
+async def test_get_static_with_auth(client_with_auth: TestClient) -> None:
+    """
+    must return static files
+    """
+    response = await client_with_auth.get("/static/favicon.ico")
+    assert response.ok

tests/ahriman/web/views/user/test_views_user_login.py

@@ -1,9 +1,21 @@
+import pytest
 from aiohttp.test_utils import TestClient
 from pytest_mock import MockerFixture
 from unittest.mock import MagicMock
 
 from ahriman.core.auth.oauth import OAuth
 from ahriman.models.user import User
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.user.login import LoginView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("GET", "POST"):
+        request = pytest.helpers.request("", "", method)
+        assert await LoginView.get_permission(request) == UserAccess.Safe
 
 
 async def test_get_default_validator(client_with_auth: TestClient) -> None:

tests/ahriman/web/views/user/test_views_user_logout.py

@@ -1,7 +1,21 @@
+import pytest
+
 from aiohttp.test_utils import TestClient
 from aiohttp.web import HTTPUnauthorized
 from pytest_mock import MockerFixture
 
+from ahriman.models.user_access import UserAccess
+from ahriman.web.views.user.logout import LogoutView
+
+
+async def test_get_permission() -> None:
+    """
+    must return correct permission for the request
+    """
+    for method in ("POST",):
+        request = pytest.helpers.request("", "", method)
+        assert await LogoutView.get_permission(request) == UserAccess.Safe
+
 
 async def test_post(client_with_auth: TestClient, mocker: MockerFixture) -> None:
     """

tests/testresources/core/ahriman.ini

@@ -9,12 +9,12 @@ repositories = core extra community multilib
 root = /
 
 [auth]
-allow_read_only = no
 client_id = client_id
 client_secret = client_secret
 oauth_provider = GoogleClient
 oauth_scopes = https://www.googleapis.com/auth/userinfo.email
 salt = salt
+safe_build_status = no
 
 [build]
 archbuild_flags =
@@ -62,6 +62,9 @@ region = eu-central-1
 secret_key =
 
 [web]
+debug = no
+debug_check_host = no
+debug_allowed_hosts =
 host = 127.0.0.1
 static_path = ../web/templates/static
 templates = ../web/templates