diff --git a/dom0/fpf-apt-test-repo.sls b/dom0/fpf-apt-test-repo.sls new file mode 100644 index 00000000..128ee9f4 --- /dev/null +++ b/dom0/fpf-apt-test-repo.sls @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + + +# That's right, we need to install a package in order to +# configure a repo to install another package +install-python-apt-for-repo-config: + pkg.installed: + - pkgs: + - python-apt + +configure apt-test apt repo: + pkgrepo.managed: + - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main" + - file: /etc/apt/sources.list.d/fpf-apt-test.list + - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" + require: + - install-python-apt-for-repo-config diff --git a/dom0/sd-journalist-files.top b/dom0/sd-journalist-files.top index d2659b1d..cb357b73 100644 --- a/dom0/sd-journalist-files.top +++ b/dom0/sd-journalist-files.top @@ -5,4 +5,5 @@ base: sd-journalist: - sd-journalist-files sd-journalist-template: + - fpf-apt-test-repo - sd-journalist-template-files diff --git a/dom0/sd-journalist-template-files.sls b/dom0/sd-journalist-template-files.sls index fe97d55c..1f8cb433 100644 --- a/dom0/sd-journalist-template-files.sls +++ b/dom0/sd-journalist-template-files.sls @@ -77,3 +77,24 @@ sudo update-desktop-database /usr/share/applications: cmd.run + +# Depends on FPF-controlled apt repo, already present +# in underlying "securedrop-workstation" base template. +install-securedrop-proxy-package: + pkg.installed: + - pkgs: + - securedrop-proxy + require: + - sls: fpf-apt-test-repo + +{% import_json "sd/config.json" as d %} + +install-securedrop-proxy-yaml-config: + file.append: + - name: /etc/sd-proxy.yaml + - text: | + host: {{ d.hidserv.hostname }} + scheme: http + port: 80 + target_vm: sd-svs + dev: False diff --git a/dom0/sd-journalist-template.sls b/dom0/sd-journalist-template.sls index 93627a9f..3bd62742 100644 --- a/dom0/sd-journalist-template.sls +++ b/dom0/sd-journalist-template.sls @@ -29,6 +29,6 @@ sd-journalist-template: sd-journalist-template-sync-appmenus: cmd.run: - name: > - qvm-start sd-journalist-template && + qvm-start --skip-if-running sd-journalist-template && qvm-sync-appmenus sd-journalist-template && qvm-shutdown sd-journalist-template diff --git a/dom0/sd-journalist.sls b/dom0/sd-journalist.sls index c0f4566f..eb8f785a 100644 --- a/dom0/sd-journalist.sls +++ b/dom0/sd-journalist.sls @@ -54,3 +54,17 @@ sd-journalist-dom0-qubes.OpenInVM-disp: file.prepend: - name: /etc/qubes-rpc/policy/qubes.OpenInVM - text: "sd-journalist sd-svs allow\n" + +# Permit the SecureDrop Proxy to manage Client connections +sd-journalist-dom0-securedrop.Proxy: + file.prepend: + - name: /etc/qubes-rpc/policy/securedrop.Proxy + - text: | + sd-svs sd-journalist allow + $anyvm $anyvm deny + +# Permit the SecureDrop Proxy to copy files to Client. +sd-journalist-dom0-qubes.Filecopy: + file.prepend: + - name: /etc/qubes-rpc/policy/qubes.Filecopy + - text: "sd-journalist sd-svs allow\n" diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls index a048ca39..a507bede 100644 --- a/dom0/sd-svs.sls +++ b/dom0/sd-svs.sls @@ -43,6 +43,6 @@ sd-svs-dom0-qubes.qubesGpg: sd-svs-template-sync-appmenus: cmd.run: - name: > - qvm-start sd-svs-template && + qvm-start --skip-if-running sd-svs-template && qvm-sync-appmenus sd-svs-template && qvm-shutdown sd-svs-template diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls index 86ca6719..f396316f 100644 --- a/dom0/sd-workstation-template-files.sls +++ b/dom0/sd-workstation-template-files.sls @@ -1,12 +1,3 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -configure apt-test apt repo: - pkgrepo.managed: - - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main" - - file: /etc/apt/sources.list.d/fpf-apt-test.list - - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" - configure mimetype support for debian9: pkg.installed: - pkgs: diff --git a/dom0/sd-workstation-template-files.top b/dom0/sd-workstation-template-files.top index 9c567748..76e0560d 100644 --- a/dom0/sd-workstation-template-files.top +++ b/dom0/sd-workstation-template-files.top @@ -3,4 +3,5 @@ base: sd-workstation-template: + - fpf-apt-test-repo - sd-workstation-template-files diff --git a/tests/base.py b/tests/base.py index f3d9c22f..c7422db5 100644 --- a/tests/base.py +++ b/tests/base.py @@ -62,6 +62,16 @@ def _get_file_contents(self, path): "/bin/cat {}".format(path)]) return contents + def _package_is_installed(self, pkg): + """ + Confirms that a given package is installed inside the VM. + """ + # dpkg --verify will exit non-zero for a non-installed pkg, + # and dom0 will percolate that error code + subprocess.check_call(["qvm-run", "-a", "-q", self.vm_name, + "dpkg --verify {}".format(pkg)]) + return True + def assertFilesMatch(self, remote_path, local_path): remote_content = self._get_file_contents(remote_path) diff --git a/tests/test_journalist_vm.py b/tests/test_journalist_vm.py index 3d0bcae2..d2e67fb6 100644 --- a/tests/test_journalist_vm.py +++ b/tests/test_journalist_vm.py @@ -1,4 +1,5 @@ import unittest +import json from base import SD_VM_Local_Test @@ -28,6 +29,24 @@ def test_sd_process_display(self): self.assertFilesMatch("/usr/bin/sd-process-display", "sd-journalist/sd-process-display") + def test_sd_proxy_package_installed(self): + self.assertTrue(self._package_is_installed("securedrop-proxy")) + + def test_sd_proxy_yaml_config(self): + with open("config.json") as c: + config = json.load(c) + hostname = config['hidserv']['hostname'] + + wanted_lines = [ + "host: {}".format(hostname), + "scheme: http", + "port: 80", + "target_vm: sd-svs", + "dev: False", + ] + for line in wanted_lines: + self.assertFileHasLine("/etc/sd-proxy.yaml", line) + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Journalist_Tests)