Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Installs securedrop-proxy package in sd-journalist #170

Merged
merged 5 commits into from
Oct 19, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 18 additions & 0 deletions dom0/fpf-apt-test-repo.sls
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :


# That's right, we need to install a package in order to
# configure a repo to install another package
install-python-apt-for-repo-config:
pkg.installed:
- pkgs:
- python-apt

configure apt-test apt repo:
pkgrepo.managed:
- name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main"
- file: /etc/apt/sources.list.d/fpf-apt-test.list
- key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc"
require:
- install-python-apt-for-repo-config
1 change: 1 addition & 0 deletions dom0/sd-journalist-files.top
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,5 @@ base:
sd-journalist:
- sd-journalist-files
sd-journalist-template:
- fpf-apt-test-repo
- sd-journalist-template-files
21 changes: 21 additions & 0 deletions dom0/sd-journalist-template-files.sls
Original file line number Diff line number Diff line change
Expand Up @@ -77,3 +77,24 @@

sudo update-desktop-database /usr/share/applications:
cmd.run

# Depends on FPF-controlled apt repo, already present
# in underlying "securedrop-workstation" base template.
install-securedrop-proxy-package:
pkg.installed:
- pkgs:
- securedrop-proxy
require:
- sls: fpf-apt-test-repo

{% import_json "sd/config.json" as d %}

install-securedrop-proxy-yaml-config:
file.append:
- name: /etc/sd-proxy.yaml
- text: |
host: {{ d.hidserv.hostname }}
scheme: http
port: 80
target_vm: sd-svs
dev: False
2 changes: 1 addition & 1 deletion dom0/sd-journalist-template.sls
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,6 @@ sd-journalist-template:
sd-journalist-template-sync-appmenus:
cmd.run:
- name: >
qvm-start sd-journalist-template &&
qvm-start --skip-if-running sd-journalist-template &&
qvm-sync-appmenus sd-journalist-template &&
qvm-shutdown sd-journalist-template
14 changes: 14 additions & 0 deletions dom0/sd-journalist.sls
Original file line number Diff line number Diff line change
Expand Up @@ -54,3 +54,17 @@ sd-journalist-dom0-qubes.OpenInVM-disp:
file.prepend:
- name: /etc/qubes-rpc/policy/qubes.OpenInVM
- text: "sd-journalist sd-svs allow\n"

# Permit the SecureDrop Proxy to manage Client connections
sd-journalist-dom0-securedrop.Proxy:
file.prepend:
- name: /etc/qubes-rpc/policy/securedrop.Proxy
- text: |
sd-svs sd-journalist allow
$anyvm $anyvm deny

# Permit the SecureDrop Proxy to copy files to Client.
sd-journalist-dom0-qubes.Filecopy:
file.prepend:
- name: /etc/qubes-rpc/policy/qubes.Filecopy
- text: "sd-journalist sd-svs allow\n"
2 changes: 1 addition & 1 deletion dom0/sd-svs.sls
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,6 @@ sd-svs-dom0-qubes.qubesGpg:
sd-svs-template-sync-appmenus:
cmd.run:
- name: >
qvm-start sd-svs-template &&
qvm-start --skip-if-running sd-svs-template &&
qvm-sync-appmenus sd-svs-template &&
qvm-shutdown sd-svs-template
9 changes: 0 additions & 9 deletions dom0/sd-workstation-template-files.sls
Original file line number Diff line number Diff line change
@@ -1,12 +1,3 @@
# -*- coding: utf-8 -*-
# vim: set syntax=yaml ts=2 sw=2 sts=2 et :

configure apt-test apt repo:
pkgrepo.managed:
- name: "deb [arch=amd64] https://apt-test-qubes.freedom.press stretch main"
- file: /etc/apt/sources.list.d/fpf-apt-test.list
- key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc"

configure mimetype support for debian9:
pkg.installed:
- pkgs:
Expand Down
1 change: 1 addition & 0 deletions dom0/sd-workstation-template-files.top
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,5 @@

base:
sd-workstation-template:
- fpf-apt-test-repo
- sd-workstation-template-files
10 changes: 10 additions & 0 deletions tests/base.py
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,16 @@ def _get_file_contents(self, path):
"/bin/cat {}".format(path)])
return contents

def _package_is_installed(self, pkg):
"""
Confirms that a given package is installed inside the VM.
"""
# dpkg --verify will exit non-zero for a non-installed pkg,
# and dom0 will percolate that error code
subprocess.check_call(["qvm-run", "-a", "-q", self.vm_name,
"dpkg --verify {}".format(pkg)])
return True

def assertFilesMatch(self, remote_path, local_path):
remote_content = self._get_file_contents(remote_path)

Expand Down
19 changes: 19 additions & 0 deletions tests/test_journalist_vm.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import unittest
import json

from base import SD_VM_Local_Test

Expand Down Expand Up @@ -28,6 +29,24 @@ def test_sd_process_display(self):
self.assertFilesMatch("/usr/bin/sd-process-display",
"sd-journalist/sd-process-display")

def test_sd_proxy_package_installed(self):
self.assertTrue(self._package_is_installed("securedrop-proxy"))

def test_sd_proxy_yaml_config(self):
with open("config.json") as c:
config = json.load(c)
hostname = config['hidserv']['hostname']

wanted_lines = [
"host: {}".format(hostname),
"scheme: http",
"port: 80",
"target_vm: sd-svs",
"dev: False",
]
for line in wanted_lines:
self.assertFileHasLine("/etc/sd-proxy.yaml", line)


def load_tests(loader, tests, pattern):
suite = unittest.TestLoader().loadTestsFromTestCase(SD_Journalist_Tests)
Expand Down