SecureDrop Workstation 0.2.3-rpm/0.2.2-deb QA

[eloquence]

This issue tracks QA reports for

• 0.2.2 release of Debian packages
• 0.2.3 release of RPM package

Following this test plan:
https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Beta-Acceptance-Tests

Reports for the previous release can be found here:
#484

[eloquence]

Self-assigning to the following scenarios from the test plan:

1. Scenario: (Client) Online mode except print as I do not have a supported printer.
2. Scenario: Client and Journalist Interface both in use

[eloquence]

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • show/hide password functionality works
  • incorrect password cannot log in
  • invalid 2FA token cannot log in
  • 2FA token reuse cannot log in after password failure
  • valid credentials and 2FA can log in

[eloquence]

Sources

• after valid login:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately --- ❌ BUT: note that uncompressed size is not, see Reported file size does not reflect decompression securedrop-client#917

[eloquence]

• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the conversation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • the source is still starred in the source list

[eloquence]

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down

[eloquence]

• When Export is first clicked on a submission:
  • the "Preparing to export..." message is displayed
  • the sd-devices VM is started
  • the user is prompted to insert an Export USB (after pressing Continue)
  • On clicking Cancel, the prompt closes and the file is not exported
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts an invalid Export USB, attaches it to the sd-devices VM and clicks OK:
    • a message is displayed indicating that the Export USB is invalid and
      the user is prompted to insert a valid device
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts a valid Export USB, attaches it to the sd-devices VM, and clicks OK:
    • the user is prompted for the Export USB's password
  • When the user enters an invalid Export USB password and clicks Submit:
    • a failure message is displayed and the user is prompted to enter the password again - ❌ Note broken dialog behavior if user interacts with any other windows while typing password, logged in Dialog sits atop other VM window securedrop-client#826 (comment)
  • When the user enters a valid Export USB password and clicks Submit:
    • the file is saved to the Export USB
• When the user detaches the Export USB and mounts it on another VM or computer:
  • the decrypted submission is available in on the Export USB, in a directory sd-export-<timestamp>/export_data

[eloquence]

Scenario: Client and Journalist Interface both in use

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed (updates skipped)
• After preflight updater runs, when user clicks Continue, login dialog is displayed (updates skipped)
• after valid login to client:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access (skipped due to previous grant)
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when the JI address is visited in Tor Browser:
  • JI login page is displayed
• after valid login to JI using same account as for client:
  • sources page is displayed, containing the same sources as the client (order may differ)

Sources, replies, submissions

• when a source is starred in the client:
  • the source is also starred in the JI after a page reload
• when a starred source is unstarred in the JI:
  • the source is also unstarred in the client after next sync. ❌ This build still has [0.2.1-deb] Syncing unstar action in JI results in database lock error securedrop-client#888
• when a reply is sent to a source via the client:
• the reply is visible in the JI and can be viewed by the source in the Source Interface
• when a reply is sent to a source via the JI:
  • the reply is visible in the source conversation view after next sync (actually immediately & then transitions to sent, test plan should be clarified)
• when an individual file submission is deleted in the JI:
  • the submission is no longer listed in the conversation view ❌

OK, this is where things still fall apart. I observed three different behaviors:

1. For a single file that had not been downloaded in client yet (and subsequently deleted in JI) it was properly removed from the list.

2. For one file out of a batch of files that had been downloaded in client (and subsequently deleted in JI), I got this glitch:
   

3. Going back to the source from 1) and submitting/deleting another file without downloading it in the client resulted in this crasher:

sqlalchemy.orm.exc.NoResultFound: No row was found for one() (full traceback)

[emkll]

I will be working on the following scenarios:

• Scenario: Offline mode without existing data
• Scenario: Offline mode with existing data
• mime handling in sd-app
• mime handling in sd-viewer

[eloquence]

1. Updates to RPMs of existing install worked without a hitch, didn't verify whether all changes were successfully applied as we already expected that not all of the logging-related ones would be.
2. uninstall command worked just fine as well, it did throw a few warnings at the end about trying to delete files that didn't exist. I didn't capture those but will see if it happens again next time.
3. So far so good on another prod install (went through without errors), will be testing with that setup tomorrow.

This is not part of our test plan yet (it should be), but the XFCE settings were correctly reset, and re-applied.

[emkll]

Scenario: Offline mode with existing data

Offline to Online

• When SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• When user clicks Work Offline, login dialog closes and main window opens
• after startup:
  • there is no sync attempt with the server
  • the source list is populated with contents of last server sync
• When the user selects a source with submissions from the source list:
  • the conversation view is populated with the source conversation
  • the reply panel is inactive, with a "Sign in" message
  • a previously downloaded submission can be exported
  • a previously downloaded submission can be printed
  • When the user clicks Download on an undownloaded submission, a message is displayed instructing the user to sign in to perform the download
• When the user clicks the top-left user icon and chooses Sign in:
  • the login dialog is displayed over the main window
• When the user enters valid login details and clicks Log in:
  • the login dialog closes
  • The user icon is updated to reflect the user's details
  • source data is synced with the server
• When the user selects a source with submissions from the source list:
  • the conversation view is populated with the source conversation
  • the reply panel is active
  • When the user replies to a source, the reply is added to the source conversation
  • When the user clicks Download on an undownloaded submission, the submission is downloaded and decrypted
  • When the user clicks Export on a submission, the export process can be completed
  • When the user clicks Print on a submission, the print process can be completed
• When the user clicks the main window close button:
  • the client exits. (:exclamation: note, the main window close button does not exit if the export dialog)

[eloquence]

• when an individual message is deleted in the JI:
  • the message is no longer listed in the conversation view ❌ a similar glitch as with deleted files, see below.
  • the messages are deleted from the client database

When deleting an individual message via the JI, the message is not removed from the conversation view - instead it jumps up vertically, next to a reply, so you end up with this (the message "Talk to me" was deleted via the JI):

The message is correctly removed from the DB and therefore gone after a restart.

[eloquence]

• when a source is deleted in the JI:
  • the source is no longer listed in the client after next sync
  • files associated with the source are no longer present in the client data directory ❌ files can still be found in the client data directory, same behavior as described in Submission not deleted on disk if deleted via Journalist Interface securedrop-client#892
• when a source is deleted in the client:
  • the source is no longer listed in the JI after a page reload

[emkll]

Mime handing test ( in progress)

❗ we run qvm-open-in-vm without the --view-only parameter, which means that edits in the DispVM are sent back to sd-app. Is there a UX reason for this? If not, I think we should add --view-only (we do it for the export archive)

Verify mime handling in sd-app

• Behavior in client (e.g. mailto, http:// link w/ modified client that disables escaping)
  http links are opened with the open-in-dvm-desktop, but error when calling /usr/bin/open-in-vm because it expects a file. This provides defense-in-depth and sufficient mitigations
• Review default mime handler apps in sd-app, tested manually but also automated tests now available in Test mimetype handling with xdg-mime query #472

Verify mime handling in sd-viewer

• Review default mime handler apps in sd-viewer
  Tested manually but also automated tests in Test mimetype handling with xdg-mime query #472
• Send a .desktop file that execute code, see what happens
  Desktop files are caught by the custom mimeapps.list policies that call open-in-dvm.desktop
  When running qvm-open-in-vm the executable bit is dropped
  ❗ xdg-open .desktop files will default open them in a dispvm (theres no rule existing for application/x-desktop, we should add an explicit one)
  ❗ in sd-viewer, it's opened in vim, therefore unreadable we should consider setting gedit
• Check macro execution default policy in libreoffice
  
  

[eloquence]

Next round of QA here: #499