Include check for pre-4.19 Tails versions in network hook. Attempt to…

… repair auto-updates on those systems

install_files/ansible-base/roles/tails-config/files/securedrop_init.py

@@ -7,7 +7,8 @@
 import sys
 import subprocess
 
-from shutil import copyfile
+import tempfile
+from shutil import copyfile, copyfileobj
 
 
 # check for root
@@ -37,6 +38,7 @@
                                 'install_files/ansible-base/mon-ssh.auth_private')
 }
 path_onion_auth_dir = '/var/lib/tor/onion_auth'
+path_tails_version = '/etc/amnesia/version'
 
 # load torrc_additions
 if os.path.isfile(path_torrc_additions):
@@ -148,3 +150,71 @@
 if b'Update needed' in output or os.path.exists(flag_location):
     # Start the SecureDrop updater GUI.
     subprocess.Popen(['python3', path_gui_updater], env=env)
+
+# Check for Tails < 4.19 and apply a fix to the auto-updater.
+# See https://tails.boum.org/news/version_4.18/
+# (Suggested removal: 2022/01)
+tails_min_version = [4, 19]
+needs_update = False
+
+try:
+    cmd = 'cat /etc/os-release | grep VERSION | cut -f2 -d\\"'
+
+    # Using shell=True because contents of /etc/os-release are trusted
+    tails_current_version = subprocess.check_output(cmd,
+                                                    shell=True,
+                                                    universal_newlines=True,
+                                                    env=env).strip().split(".")  # nosec
+
+    try:
+        needs_update = (len(tails_current_version) >= len(tails_min_version) and
+                        (int(tails_current_version[0]) < tails_min_version[0]
+                        or int(tails_current_version[1]) < tails_min_version[1]))
+
+    except (TypeError, ValueError):
+        sys.exit('Error checking Tails version. Please visit tails.boum.org ' +
+                 'to ensure your version of Tails is up to date.')
+
+    if needs_update:
+        cert_name = 'isrg-root-x1-cross-signed.pem'
+        pem_file = tempfile.NamedTemporaryFile(delete=True)
+
+        try:
+            pem_download_proc = subprocess.call(['torsocks',
+                                                 'curl',
+                                                 '--silent',
+                                                 'https://tails.boum.org/' + cert_name],
+                                                stdout=pem_file, env=env)
+
+            # Verify against /etc/ssl/certs/DST_Root_CA_X3.pem, which cross-signs
+            # the new LetsEncrypt cert but is expiring
+            verify_proc = subprocess.check_output(['openssl', 'verify',
+                                                   '-no_check_time', '-no-CApath',
+                                                   '-CAfile',
+                                                   '/etc/ssl/certs/DST_Root_CA_X3.pem',
+                                                   '/tmp/' + cert_name],
+                                                  universal_newlines=True, env=env)
+
+            if 'OK' in verify_proc:
+
+                # Updating the cert chain requires sudo privileges
+                os.setresgid(0, 0, -1)
+                os.setresuid(0, 0, -1)
+
+                with open('/usr/local/etc/ssl/certs/tails.boum.org-CA.pem', 'a') as chain:
+                    pem_file.seek(0)
+                    copyfileobj(pem_file, chain)
+                    chain.close()
+
+            # As amnesia user, start updater GUI
+            os.setresgid(amnesia_gid, amnesia_gid, -1)
+            os.setresuid(amnesia_uid, amnesia_uid, -1)
+            restart_proc = subprocess.call(['systemctl', '--user', 'restart',
+                                            'tails-upgrade-frontend'], env=env)
+
+        finally:
+            pem_file.close()
+
+except subprocess.CalledProcessError:
+    sys.exit('Error checking Tails version. Please visit tails.boum.org ' +
+             'to ensure your version of Tails is up to date.')