Release SecureDrop 0.6.0

[redshiftzero]

This is a tracking issue for the upcoming release of SecureDrop 0.6 - tasks may get added or modified.

Feature freeze: February 27, 2018
String freeze: March 6, 2018
Release date: March 13, 2018

SecureDrop maintainers and testers: As you QA 0.6, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 0.6 milestone for tracking.

Test debian packages are posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.

Prepare release candidate (0.6~rc2)

• Branch release/0.6 off master - @redshiftzero
• 0.6-rc1 was created but we did not build test debs as we needed to bump the kernels (Bumps securedrop-grsec metapackage to 4.4.115 #3077)
• Prepare 0.6-rc2 tag - @redshiftzero
• Build debs and put up 0.6~rc2 on test apt server - @conorsch

QA (0.6~rc2)

• Test upgrade from 0.5.2 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.6 works on prod w/ test repo debs

Prepare next release candidate (0.6~rc3)

• Prepare 0.6-rc3 tag - @redshiftzero
• Build debs and put up 0.6~rc3 on test apt server - @conorsch

QA (0.6~rc3)

• Test upgrade from 0.5.2 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.6 works on prod w/ test repo debs

Prepare next release candidate (0.6~rc4)

• Prepare 0.6-rc4 tag - @redshiftzero
• Build debs and put up 0.6~rc4 on test apt server - @conorsch

QA (0.6~rc4)

• Test upgrade from 0.5.2 works on prod w/ test repo debs
• Test fresh install (not upgrade) of 0.6 works on prod w/ test repo debs

Prepare final release candidate (0.6~rc5)

• Prepare 0.6-rc5 tag - @redshiftzero
• Build debs and put up 0.6~rc5 on test apt server - @conorsch

Final release

• Push signed tag
• Build final Debian packages for 0.6
• Pre-Flight: Test install (not upgrade) of 0.6 works w/ prod repo debs
• Publish blog post about 0.6 Debian package release and instructions for admins

Post-release

• Merge release changes into master branch
• Merge release changes into development branch

[ghost]

It would be great to have detailed Q/A scripts that volunteers with a lot of good will but experience with SecureDrop could run manually. Do we have that already ?

[redshiftzero]

For getting setup with prod VMs for testing, this is the best documentation we have, and this post by @kushaldas is useful (version numbers will need bumping). In terms of QA scripts the most detailed generic (for any release) testing script we have is the following - it covers basic server testing and application acceptance testing:

A. Tests from the Admin Tails Drive

1. You should be able to access the source and journalist interfaces

• Open up Tor browser and try it out on both interfaces

2. You should be able to SSH into app and mon over Tor

• ssh app
• ssh mon

3. OSSEC should start up

• Execution steps:
  • Check your email
• Expected behavior:
  • Check that OSSEC alerts were received
  • Verify that you can decrypt the message

4. Check that both servers are running grsec kernels

• Preconditions: You SSH into each server.
• Execution steps:
  • Run uname -a
• Expected output:
  • -grsec is in the kernel name

5. Verify AppArmor is loaded

• Preconditions: You SSH into both servers.
• Execution steps:
  • Run sudo aa-status
• Expected output:
  • apparmor module is loaded appears in the output

6. Check iptables rules are set up

• Preconditions: You SSH into each server.
• Execution steps:
  • Run sudo iptables-save
• Expected output:
  • iptables rules are printed to stdout
  • The iptables output is dozens of lines, not just the default ACCEPT chains

B. Test Cases For Command Line User Creation

1. You can create a administrator from the command line.

• Precondition: You are SSHed into app
• Execution steps are described here.
• Expected behavior:
  • You are able to login using the account made at the command line
  • Admin panel is available in journalist web interface

C. Test Cases for Source Interface

• Precondition: You have used Tor Browser to navigate to the source interface.

Landing Page Base Cases

1. When the Tor Browser Security slider is at its lowest setting, a purple bar appears along the top of the application indicating that one should turn the security slider to high.
2. When the Tor Browser Security slider is at its highest setting, this bar does not appear.

First Submission Base Cases

• Precondition: You have clicked “Submit Documents” on the home page.

3. On the generate page, clicking refresh changes the codename. 7 words appear before and after changing the codename.
4. On the submission page, clicking “Submit” with no documents or messages written generates an error message.
5. On the submission page, typing a message “test” and clicking “Submit” generates a “Success!” flashed message.
6. On the submission page, attempt to upload a file greater than 500 MB. This should not work and a “The Connection Was Reset” page should appear.
7. On the submission page, attempting to upload a file less than 500 MB results in a green success flashed message.

Returning Source Base Cases

• Precondition: You have clicked “Check for a response” on the home page.

8. Entering an empty codename results in a “Sorry that is not a recognized codename” flashed message.
9. Entering a legitimate codename results in a source being able to successfully login.
10. On the submission page, journalist responses appear (one will need to be logged in).

D. Test Cases for Journalist Interface

• Precondition: You have used Tor Browser to navigate to the journalist interface.

Login Base Cases

1. Username “test1” can successfully log in with their 2FA tokens.
2. If user “test1” uses an incorrect password, they get a “Login failed. Please wait for a new two-factor token before logging in again.” flashed message.
3. If “test1” tries to use an invalid 2FA token, they get a “Login failed. Please wait for a new two-factor token before logging in again.” flashed message.
4. If “test1” tries to use the same 2FA token, they get a “Login failed. Please wait for a new two-factor token before logging in again.” flashed message.

Index Base Cases

Precondition: You have used Tor Browser to navigate to the journalist interface and are logged in.

5. Filter by codename on index successfully filters
6. Click “select all” selects all submissions.
7. Selecting “Download All” results in all submissions being downloaded.
8. Starring a source successfully stars a source.
9. Unstarring a source successfully unstars a source.

Source Page Base Cases

Precondition: You have used Tor Browser to navigate to the journalist interface, logged in, and clicked on a given source.

10. You are able to type “Response” and hit “Submit” and get a “Thanks! Your reply has been stored” flashed message. A new row should appear ending in -reply.gpg.
11. You are able to click a document and download it. You can successfully decrypt the document using the submission private key.
12. You are able to submit an empty response and get a flashed message indicating that text needs to be entered.
13. Clicking “Delete collection” results in all documents being deleted for the given source.

Checklist

You can use this for copy/pasting into your QA report

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download all" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

[redshiftzero]

In terms of 0.6-specific testing, here's a proposed checklist, focused on securedrop-admin given the significant changes there:

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

[redshiftzero]

Fresh install 0.6~rc2 in prod VMs

0.6~rc2 specific testing

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

[ghost]

There are commits to merge back to develop from yesterday's action.

$ git --no-pager  log --oneline --cherry-mark --right-only origin/develop...origin/release/0.6
+ 658088bb SecureDrop 0.6~rc2
+ e29bdd74 Merge pull request #3077 from freedomofpress/bump-grsec-metapackage-to-4.4-kernels
+ ab2a05e0 Updates config tests for new kernel image version
+ eb88a67b Updates docs for new kernel image version
+ a9c9643b Bumps securedrop-grsec metapackage to 4.4.115
+ 898690ed SecureDrop 0.6~rc1

Proposed at #3061

[ghost]

I see we are creating 0.6 packages and tags. Could we please switch to using 0.6.0 instead? So we have a uniform naming scheme.

[msheiny]

So I thought this was important ... but I just performed an upgrade and confirmed that the old 3.14.79-grsec kernel was still in the boot menu. This is important so if any instances have issues they can roll back temporarily.

[msheiny]

Upgrade install 0.6~rc2 in prod VMs

0.6~rc2 specific testing

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

[emkll]

Fresh install 0.6~rc2 in prod VMs

Everything looks good in clean install, will be testing upgrade path in VMs next.

0.6~rc2 specific testing

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Other:

• ls /boot does not contain any non-grsec kernls

[kushaldas]

Update from '0.5.2' to 0.6~rc2 in prod VMs

0.6~rc2 specific testing

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails (But, I also had to file ./securedrop-admin setup misses to update Ansible to 2.4.2 #3088)
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960) (DId not test)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

[ghost]

Only cherry-picks in the release/0.6 as shown by the = sign which indicates the commits that are both in develop and release/0.6 and have the same patch-id.

$ git --no-pager  log  --no-merges --oneline --cherry-mark --right-only origin/develop...origin/release/0.6
= 4ec882bb Monitor only hostname in /var/lib/tor/services
= 1b67299b journalist: kindly ask to check the mail

[emkll]

Upgrade from 0.5.2 to 0.6~rc2 on physical install

0.6~rc2 specific testing

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• [] Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Getting some unecessary OSSEC emails (which appear unrelated to this release):

OSSEC HIDS Notification.
2018 Mar 02 04:11:18

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 100003 fired (level 7) -> "A cron-apt warning was detected"
Portion of the log(s):

Mar  2 04:11:16 app cron-apt: W: Duplicate sources.list entry https://tor-apt.freedom.press/ trusty/main amd64 Packages (/var/lib/apt/lists/tor-apt.freedom.press_dists_trusty_main_binary-amd64_Packages)



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2018 Mar 02 04:11:18

Received From: (app) 10.20.2.2->/var/log/syslog
Rule: 100003 fired (level 7) -> "A cron-apt warning was detected"
Portion of the log(s):

Mar  2 04:11:16 app cron-apt: W: Duplicate sources.list entry https://tor-apt.freedom.press/ trusty/main i386 Packages (/var/lib/apt/lists/tor-apt.freedom.press_dists_trusty_main_binary-i386_Packages)



 --END OF NOTIFICATION

[redshiftzero]

Upgrade 0.5.2 -> 0.6-rc3 in prod VMs

0.6~rc3 specific testing

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

[kushaldas]

Upgrade 0.6-rc3 -> 0.6-rc4 in prod VMs

0.6~rc4 specific testing

• ./securedrop-admin --help reports useful feedback
• ./securedrop-admin setup works in Tails
• ./securedrop-admin sdconfig works in Tails
• ./securedrop-admin sdconfig allows empty sasl_domain
• ./securedrop-admin install proceeds without issue after Ansible version bump
• ./securedrop-admin tailsconfig proceeds without issue
• ./securedrop-admin check_for_updates reports to the user that an update is available
• ./securedrop-admin update reports signature verifies and updates workstation to the latest valid tag 0.5.2
• Servers are both running 4.4.115 kernels
• Journalist interface: source deletion confirmation appears (Css: Delete confirmation with css-only modal #2946)
• Journalist interface: with JS enabled, a user gets a confirmation re: 2FA reset (User confirmation before 2FA reset no longer appears #2920)
• /var/lib/tor/services is monitored by syscheck (Syscheck warning on missing directory specified in ossec agent configuration #2960)
• After manual testing of web applications, no AppArmor issues appear in OSSEC alerts

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
• AppArmor is loaded on mon
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

• Can successfully add admin user and login

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete collection" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

[emkll]

I have tested the kernel metapackage changes as part of 0.6-rc5

Classic upgrade scenario (pre-Feb 16) 0.5.2 -> 0.6:

[x] Kernel 3.14.79-grsec is installed
[x] Kernel 4.4.115-grsec is installed
[x] Kernel 4.4.115-grsec boots by default

Alternate upgrade scenario (SD instance installed after Feb 16) 0.5.2 -> 0.6:

[x] Kernel 3.14.79-grsec is installed
[x] Kernel 4.4.115-grsec is installed
[x] Kernel 4.4.115-grsec boots by default
❗ linux 4.4.0-116-generic is installed, but does not boot by default (4.4.115>4.4.0)

[eloquence]

SecureDrop 0.6 went out as planned on March 13, closing. :)