Merge branch 'release/0.5.2' into merge-0-5-2-into-develop

Conflicts:
	.circleci/config.yml

Favored develop since admin test jobs were added in develop in #2758.

	install_files/ansible-base/roles/ossec/files/test_admin_key.pub
	install_files/ansible-base/roles/ossec/files/test_admin_key.sec

Favored develop for these changes since these keys in 0.5.2 were
erroneously both public keys (fixed in #2925).

	install_files/ansible-base/securedrop-configure.yml

Deleted this file as it was removed in develop during the sdconfig
refactor (#2758) from Ansible to Python. The locale prompt additions added
in SecureDrop 0.5.2 were added in #2758 on develop.

	molecule/aws/scripts/app-tests.sh

Favored develop since the addition of RTL language testing was
added in #2930.

	molecule/aws/side_effect.yml

Favored release/0.5.2 as these changes were due to the addition
of Tor apt repo testing in CI against release branches (#2941).

	securedrop/Dockerfile

Favored develop since all these gettext commands being merged into
one RUN command was done in #2822 and is still on develop.

	docs/development/contributor_guidelines.rst

Favored develop since these contributor guidelines were added recently in #2972.

.circleci/config.yml

@@ -117,7 +117,7 @@ jobs:
 
       - run:
           name: Installation pre-reqs
-          command: pip install -U -r securedrop/requirements/develop-requirements.txt
+          command: pip install -U -r ./securedrop/requirements/develop-requirements.txt
 
       - run:
           name: Check Python dependencies for CVEs
@@ -147,6 +147,9 @@ jobs:
       - store_artifacts:
           path: /root/sd/raw-test-output
 
+      - store_artifacts:
+          path: /root/sd/.tor_version
+
 workflows:
   version: 2
   securedrop_ci:

changelog.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.5.2
+
+* Replace PyCrypto (#2903).
+* Use `max_fail_percentage` to force immediate Ansible exits in playbook runs (#2922).
+* Bugfix: Dynamically allocate firewall during OSSEC registration (#2748).
+* Bugfix: Add all languages to sdconfig prompt (#2935).
+
+The issues for this release were tracked in the 0.5.2 milestone on Github:
+https://github.com/freedomofpress/securedrop/milestone/41
+
 ## 0.5.1
 
 ### Web Applications

docs/conf.py

@@ -57,9 +57,9 @@
 # built documents.
 #
 # The short X.Y version.
-version = '0.5.1'
+version = '0.5.2'
 # The full version, including alpha/beta/rc tags.
-release = '0.5.1'
+release = '0.5.2'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.

docs/set_up_admin_tails.rst

@@ -107,8 +107,8 @@ key:
 .. code:: sh
 
     cd ~/Persistent/securedrop/
-    git checkout 0.5.1
-    git tag -v 0.5.1
+    git checkout 0.5.2
+    git tag -v 0.5.2
 
 You should see ``Good signature from "SecureDrop Release Signing Key"`` in the
 output of that last command.

install_files/ansible-base/group_vars/all/securedrop

@@ -2,7 +2,7 @@
 # Variables that apply to both the app and monitor server go in this file
 # If the monitor or app server need different values define the variable in
 # hosts_vars/app.yml or host_vars/mon.yml host_vars/development.yml
-securedrop_app_code_version: "0.5.1"
+securedrop_app_code_version: "0.5.2"
 
 grsecurity: true
 install_local_packages: false

install_files/securedrop-app-code/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-app-code
-Version: 0.5.1
+Version: 0.5.2
 Architecture: amd64
 Depends: python-pip,apparmor-utils,gnupg2,haveged,python,python-pip,secure-delete,sqlite,apache2-mpm-worker,libapache2-mod-wsgi,libapache2-mod-xsendfile,redis-server,supervisor,securedrop-keyring,securedrop-config
 Description: Packages the SecureDrop application code pip dependencies and apparmor profiles. This package will put the apparmor profiles in enforce mode. This package does use pip to install the pip wheelhouse

install_files/securedrop-app-code/usr/share/doc/securedrop-app-code/changelog.Debian

@@ -1,3 +1,9 @@
+securedrop-app-code (0.5.2) trusty; urgency=medium
+
+  * See changelog.md
+
+ -- SecureDrop Team <securedrop@freedom.press>  Thu, 01 Feb 2018 21:14:12 +0000
+
 securedrop-app-code (0.5.1) trusty; urgency=medium
 
   * See changelog.md

install_files/securedrop-config/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-config
-Version: 0.1.0+0.5.1
+Version: 0.1.0+0.5.2
 Architecture: all
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.

install_files/securedrop-keyring/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-keyring
-Version: 0.1.1+0.5.1
+Version: 0.1.1+0.5.2
 Architecture: amd64
 Depends: gnupg
 Description: Provides an apt keyring for SecureDrop-related packages, so the master signing key used for SecureDrop packages can be updated via apt.

install_files/securedrop-ossec-agent/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-agent
-Version: 2.8.2+0.5.1
+Version: 2.8.2+0.5.2
 Architecture: amd64
 Depends: ossec-agent,securedrop-keyring,securedrop-config
 Replaces: ossec-agent

install_files/securedrop-ossec-server/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <securedrop@freedom.press>
 Homepage: https://securedrop.org
 Package: securedrop-ossec-server
-Version: 2.8.2+0.5.1
+Version: 2.8.2+0.5.2
 Architecture: amd64
 Depends: ossec-server,securedrop-keyring,securedrop-config
 Replaces: ossec-server

molecule/aws/securedrop_test.pub

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFhPGZsBCACzn00s3+i5HdGIldDGYXxY2HKL9Qhk0DhiRrNPaQemhNijuFlC
+geCeKN/smDAUyM5mfEoxmWy3V7n8SEQUpqI4dIS2AohReLkyKEKiIpTuXW7F9kO3
+vcXHgrTka+8B4ZQxDuTHNFJLmBwJnP24LrL6BzkDIUNeQFwM0EFTDOJlW1QV6qkm
+9WGizo2sR0VBJJabfRWrTWd8llYOVcc+LptErVNADPaX6iqb+QnZVJ/nYmCTgABj
+lD3aZ4EPZ+ioVOcOxbgBkAX76COObUUw/XahBGwj4fJ5kyzvDSBCHHlRzN39LKpM
+Y+HfSc1scAOWN+Dd0N/joIa0j0U4SGHo1NdzABEBAAG0MVNlY3VyZURyb3AgVEVT
+VElORyBrZXkgPHNlY3VyZWRyb3BAZnJlZWRvbS5wcmVzcz6JAU4EEwEIADgWIQRO
+15zDNi19EoNwRgJKO+SpIhGwPAUCWE8ZmwIbAwULCQgHAgYVCAkKCwIEFgIDAQIe
+AQIXgAAKCRBKO+SpIhGwPCb9B/9SuVoxbe3nLlU0bHDQtoq5P7adyTZK+5gKIiAo
+mtAkc/EuiF6jYIDLo+DBB1GBJVjyD5igTt14XR3JpMe6nLtztD5zgGk47gYQk3y5
+6f5ydd7zRo9OxulRYDvU1mXMUc0EmqfzuSxY55HJy5KQvjeKIU0fTvwbPYXdhFCC
+42iyBIkp4e4/C5oO4lNrNY2DJEZ+a8H5LHasJ4g9A78f/D5q0HWO1HutzfDeiMvq
+WFwlGMD2OzTEQA2MGlVRIYvLHAG1aV9fXY8kjCFT8ri5hxlQeTkKISfbW3pFSq6s
+Ow4r975zWLTPJNm+WTbBpfIOFBVAW34EHkcb/QmntlvqkNM+uQENBFhPGZsBCAC4
+VEtCQEuZ3WzCNL/0yQFih1EjT/AsS3j3++xvSOYWF+c7AjR9X0MkJFTnUZBHs6MX
+PM33bbkWbBBE2ILdDCEF72Uc5HyyC2lW2DvPY9ZLVSGcMCUsKARv5rbeNdgiLVP5
+8AMkmG48q0Pxrr6UVX14M34Jm5G91c/dj9zHtVwkLg4RG/rcumQdlpQhNmMycB2X
+lat48atmEkutfLEQizXIlgiCdNEpgfUBy/jZZcCOjwr8PUPmSUWjKOVMv6CSLx8K
+z2cP4We7tyq4qhc0cWjJOWOmJpu5tbmi6XEEWGaIJyN+POhHEcb0tI1rTJ88nrMb
+DI/NF/35kuWIIkADOb2vABEBAAGJATYEGAEIACAWIQRO15zDNi19EoNwRgJKO+Sp
+IhGwPAUCWE8ZmwIbDAAKCRBKO+SpIhGwPC3fB/0TfuScS718FiEcVRI3F2wBbzTQ
+VARhGzEvPSU5Z3Cur/EB8ihpWvwi39tUMeg5HTheDl/8A7f1QCjIFSVEr1slGNLh
+YFF07XGWhy837z6kiihK2z6/w6Q9QJqjE+QVZCKr97aIPejvEoHoslZTU5pJ52qF
+J7KQd1hEvVs00DxY6VlyK0FzXqByKYq6Arl2tzlCZ6RPEHKXV2xSP06jLEagzgYe
+DylVo9Xahenj4n/Mtq7Am6tGgU9Vy9cGbWNBdUND/mFQEEZSh9RJabPeluH12sir
+5/tfsDr4DGHSz7ws+5M6Zbk6oNJEwQZ4cR+81qCfXE5X5LW1KlAL8wDl7dfS
+=fYUi
+-----END PGP PUBLIC KEY BLOCK-----

molecule/aws/side_effect.yml

@@ -5,6 +5,15 @@
   become: yes
   tasks:
     - include: reboot_and_wait.yml
+      when: "false"
+    - include: tor_apt_test.yml
+      when: (lookup('env','CIRCLE_BRANCH')|default('na')).startswith('release')
+  handlers:
+    - name: update tor
+      apt:
+        name: tor
+        state: latest
+        update_cache: yes
 
 - name: Setup junit env first
   hosts: localhost

molecule/aws/tor_apt_test.yml

@@ -0,0 +1,39 @@
+---
+- name: Add apt SD test public key
+  apt_key:
+    data: "{{ lookup('file','securedrop_test.pub') }}"
+    state: present
+
+- name: Temporary fix for GH issue 2938
+  file:
+    state: absent
+    path: "/etc/apt/sources.list.d/tor_apt_freedom_press.list"
+
+- name: Switch apt repo URLs to staging.
+  replace:
+    dest: "/etc/apt/sources.list.d/tor.apt.freedom.press.list"
+    replace: "tor-apt-test.freedom.press"
+    regexp: '//tor-apt\.freedom\.press'
+  ignore_errors: "yes"
+  notify: update tor
+
+- name: Force possible tor update
+  meta: flush_handlers
+
+- name: Squash testinfra failure for packages needing update
+  apt:
+    upgrade: safe
+
+- name: Extract latest tor version
+  shell: |
+    apt-cache policy tor | sed -e 's/^\s*Installed:\ \(\S*\)/\1/g;tx;d;:x'
+  changed_when: false
+  register: extract_tor_version
+
+- name: Dump Tor version to file (for reporting)
+  copy:
+    dest: "{{ playbook_dir }}/../../.tor_version"
+    content: "{{ extract_tor_version.stdout }}"
+  delegate_to: localhost
+  run_once: true
+  become: "no"

molecule/builder/tests/vars.yml

@@ -1,5 +1,5 @@
 ---
-securedrop_version: "0.5.1"
+securedrop_version: "0.5.2"
 ossec_version: "2.8.2"
 keyring_version: "0.1.1"
 config_version: "0.1.0"

securedrop/version.py

@@ -1 +1 @@
-__version__ = '0.5.1'
+__version__ = '0.5.2'

testinfra/common/test_tor_mirror.py

@@ -1,6 +1,10 @@
+import os
 import pytest
 
 
+@pytest.mark.skipif(
+        os.environ.get('CIRCLE_BRANCH', 'na').startswith('release'),
+        reason="Release branches will use tor-apt-test repo")
 def test_tor_mirror_present(host):
     """
     Ensure the FPF mirror of the Tor apt repo, tor-apt.freedom.press,