From 52b153efe85b2ff4fc0fb497d41bc470d5a19d59 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 18 Oct 2018 20:06:42 -0400 Subject: [PATCH 1/5] Breaks out apt-test repo logic Using a separate SLS file, since we need the apt-test repo configured in more than just the `sd-workstation-template` VM: we need it at least in `sd-journalist-template`, shortly to become the `sd-proxy-template`, for installing the `securedrop-proxy` package. Appends another task to the SLS file, ensuring that `python-apt` is installed, because evidently Salt requires that package in order to handle the repo configuration. Wasn't a problem against Debian 9, but the Whonix-derived VMs such as `sd-journalist` errored out until the package was installed. --- dom0/fpf-apt-test-repo.sls | 18 ++++++++++++++++++ dom0/sd-journalist-files.top | 1 + dom0/sd-workstation-template-files.sls | 9 --------- dom0/sd-workstation-template-files.top | 1 + 4 files changed, 20 insertions(+), 9 deletions(-) create mode 100644 dom0/fpf-apt-test-repo.sls diff --git a/dom0/fpf-apt-test-repo.sls b/dom0/fpf-apt-test-repo.sls new file mode 100644 index 00000000..128ee9f4 --- /dev/null +++ b/dom0/fpf-apt-test-repo.sls @@ -0,0 +1,18 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + + +# That's right, we need to install a package in order to +# configure a repo to install another package +install-python-apt-for-repo-config: + pkg.installed: + - pkgs: + - python-apt + +configure apt-test apt repo: + pkgrepo.managed: + - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main" + - file: /etc/apt/sources.list.d/fpf-apt-test.list + - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" + require: + - install-python-apt-for-repo-config diff --git a/dom0/sd-journalist-files.top b/dom0/sd-journalist-files.top index d2659b1d..cb357b73 100644 --- a/dom0/sd-journalist-files.top +++ b/dom0/sd-journalist-files.top @@ -5,4 +5,5 @@ base: sd-journalist: - sd-journalist-files sd-journalist-template: + - fpf-apt-test-repo - sd-journalist-template-files diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls index 86ca6719..f396316f 100644 --- a/dom0/sd-workstation-template-files.sls +++ b/dom0/sd-workstation-template-files.sls @@ -1,12 +1,3 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -configure apt-test apt repo: - pkgrepo.managed: - - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main" - - file: /etc/apt/sources.list.d/fpf-apt-test.list - - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" - configure mimetype support for debian9: pkg.installed: - pkgs: diff --git a/dom0/sd-workstation-template-files.top b/dom0/sd-workstation-template-files.top index 9c567748..76e0560d 100644 --- a/dom0/sd-workstation-template-files.top +++ b/dom0/sd-workstation-template-files.top @@ -3,4 +3,5 @@ base: sd-workstation-template: + - fpf-apt-test-repo - sd-workstation-template-files From 480363fd29b7c8616bf1b3accf2defa92e9d9f5a Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 18 Oct 2018 20:06:49 -0400 Subject: [PATCH 2/5] Installs securedrop-proxy pkg in sd-journalist Installing the `securedrop-proxy` package so that it's available for integrating with the other Workstation tooling currently being packaged. We'll soon rename `sd-journalist` to `sd-proxy`, but not yet. Includes config tests updates to ensure the package is indeed installed. --- dom0/sd-journalist-template-files.sls | 9 +++++++++ tests/base.py | 10 ++++++++++ tests/test_journalist_vm.py | 3 +++ 3 files changed, 22 insertions(+) diff --git a/dom0/sd-journalist-template-files.sls b/dom0/sd-journalist-template-files.sls index fe97d55c..5b3b80e5 100644 --- a/dom0/sd-journalist-template-files.sls +++ b/dom0/sd-journalist-template-files.sls @@ -77,3 +77,12 @@ sudo update-desktop-database /usr/share/applications: cmd.run + +# Depends on FPF-controlled apt repo, already present +# in underlying "securedrop-workstation" base template. +install-securedrop-proxy-package: + pkg.installed: + - pkgs: + - securedrop-proxy + require: + - sls: fpf-apt-test-repo diff --git a/tests/base.py b/tests/base.py index f3d9c22f..c7422db5 100644 --- a/tests/base.py +++ b/tests/base.py @@ -62,6 +62,16 @@ def _get_file_contents(self, path): "/bin/cat {}".format(path)]) return contents + def _package_is_installed(self, pkg): + """ + Confirms that a given package is installed inside the VM. + """ + # dpkg --verify will exit non-zero for a non-installed pkg, + # and dom0 will percolate that error code + subprocess.check_call(["qvm-run", "-a", "-q", self.vm_name, + "dpkg --verify {}".format(pkg)]) + return True + def assertFilesMatch(self, remote_path, local_path): remote_content = self._get_file_contents(remote_path) diff --git a/tests/test_journalist_vm.py b/tests/test_journalist_vm.py index 3d0bcae2..1206fa5e 100644 --- a/tests/test_journalist_vm.py +++ b/tests/test_journalist_vm.py @@ -28,6 +28,9 @@ def test_sd_process_display(self): self.assertFilesMatch("/usr/bin/sd-process-display", "sd-journalist/sd-process-display") + def test_sd_proxy_package_installed(self): + self.assertTrue(self._package_is_installed("securedrop-proxy")) + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Journalist_Tests) From bd2098f836e569f1ca26714dbb1b340cce33f6ef Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 18 Oct 2018 15:48:53 -0400 Subject: [PATCH 3/5] Configures dom0 RPC policies for securedrop-proxy These files must reside in dom0 in order for the inter-VM communication to work for the securedrop-proxy service. Currently copying via Salt, we can move those into the forthcoming dom0 config RPM package when that work is ready. --- dom0/sd-journalist.sls | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/dom0/sd-journalist.sls b/dom0/sd-journalist.sls index c0f4566f..eb8f785a 100644 --- a/dom0/sd-journalist.sls +++ b/dom0/sd-journalist.sls @@ -54,3 +54,17 @@ sd-journalist-dom0-qubes.OpenInVM-disp: file.prepend: - name: /etc/qubes-rpc/policy/qubes.OpenInVM - text: "sd-journalist sd-svs allow\n" + +# Permit the SecureDrop Proxy to manage Client connections +sd-journalist-dom0-securedrop.Proxy: + file.prepend: + - name: /etc/qubes-rpc/policy/securedrop.Proxy + - text: | + sd-svs sd-journalist allow + $anyvm $anyvm deny + +# Permit the SecureDrop Proxy to copy files to Client. +sd-journalist-dom0-qubes.Filecopy: + file.prepend: + - name: /etc/qubes-rpc/policy/qubes.Filecopy + - text: "sd-journalist sd-svs allow\n" From 271ba8dbd9eef3b27146f49266d718d2757351c3 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 18 Oct 2018 16:47:19 -0400 Subject: [PATCH 4/5] Writes YAML config for securedrop-proxy The YAML config file contains site-specific information such as the Onion URL, and is required for the `securedrop-proxy` package to function. Would be ideal to write the YAML intelligently, rather than as line substitutions, this "just worked". In the future perhaps we can port the Salt to Python and `import yaml`. Includes tests. We know the Onion URL we want to connect to (for the sd-whonix config), so let's read that from the JSON file on disk and make sure the configuration landed on the target VM as intended. --- dom0/sd-journalist-template-files.sls | 12 ++++++++++++ tests/test_journalist_vm.py | 16 ++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/dom0/sd-journalist-template-files.sls b/dom0/sd-journalist-template-files.sls index 5b3b80e5..1f8cb433 100644 --- a/dom0/sd-journalist-template-files.sls +++ b/dom0/sd-journalist-template-files.sls @@ -86,3 +86,15 @@ install-securedrop-proxy-package: - securedrop-proxy require: - sls: fpf-apt-test-repo + +{% import_json "sd/config.json" as d %} + +install-securedrop-proxy-yaml-config: + file.append: + - name: /etc/sd-proxy.yaml + - text: | + host: {{ d.hidserv.hostname }} + scheme: http + port: 80 + target_vm: sd-svs + dev: False diff --git a/tests/test_journalist_vm.py b/tests/test_journalist_vm.py index 1206fa5e..d2e67fb6 100644 --- a/tests/test_journalist_vm.py +++ b/tests/test_journalist_vm.py @@ -1,4 +1,5 @@ import unittest +import json from base import SD_VM_Local_Test @@ -31,6 +32,21 @@ def test_sd_process_display(self): def test_sd_proxy_package_installed(self): self.assertTrue(self._package_is_installed("securedrop-proxy")) + def test_sd_proxy_yaml_config(self): + with open("config.json") as c: + config = json.load(c) + hostname = config['hidserv']['hostname'] + + wanted_lines = [ + "host: {}".format(hostname), + "scheme: http", + "port: 80", + "target_vm: sd-svs", + "dev: False", + ] + for line in wanted_lines: + self.assertFileHasLine("/etc/sd-proxy.yaml", line) + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_Journalist_Tests) From 2ebe3b74f78644342861ebd6f74cf6e22cbc1b22 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 18 Oct 2018 18:25:46 -0400 Subject: [PATCH 5/5] Less forceful qvm-sync-appmenus During development, re-ran `make sd-journalist` several times, and the appmenu task failed simply because the VM was already running. Let's pass a flag to continue in such a scenario, rather than erroring out. --- dom0/sd-journalist-template.sls | 2 +- dom0/sd-svs.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/dom0/sd-journalist-template.sls b/dom0/sd-journalist-template.sls index 93627a9f..3bd62742 100644 --- a/dom0/sd-journalist-template.sls +++ b/dom0/sd-journalist-template.sls @@ -29,6 +29,6 @@ sd-journalist-template: sd-journalist-template-sync-appmenus: cmd.run: - name: > - qvm-start sd-journalist-template && + qvm-start --skip-if-running sd-journalist-template && qvm-sync-appmenus sd-journalist-template && qvm-shutdown sd-journalist-template diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls index a048ca39..a507bede 100644 --- a/dom0/sd-svs.sls +++ b/dom0/sd-svs.sls @@ -43,6 +43,6 @@ sd-svs-dom0-qubes.qubesGpg: sd-svs-template-sync-appmenus: cmd.run: - name: > - qvm-start sd-svs-template && + qvm-start --skip-if-running sd-svs-template && qvm-sync-appmenus sd-svs-template && qvm-shutdown sd-svs-template