Journalist UI could not be reached via v3 URL 1.0.0~rc1

[kushaldas]

Description

I could not reach the journalist UI via v3 onion address.

Steps to Reproduce

• Updated from only v2 onion based 1.0.0~rc1 to both v2 and v3 enabled system.
• Ran ./securedrop-admin tailsconfig on the admin workstation
• Tried to open the journalist UI by double clicking on the desktop icon.

Note: The source v3 onion address is working fine, and if I type in the old v2 onion address manually, it is currently working.

Expected Behavior

The journalist UI should come up.

Actual Behavior

The Tor Browser can not find the onion address.

[rmol]

Confirmed.

[rmol]

The problem seems to be that the securedrop_init.py hook isn't getting run during tailsconfig, so /var/lib/tor/onion_auth isn't getting populated. I bounced the network manually to get it run, that directory was populated, and I can now reach the journalist interface.

I think the cause is that the copy task in configure_network_hook.yml (Copy NetworkManager hook for managing SecureDrop interfaces.) doesn't have force: yes, so if the file doesn't need to be copied, the notify doesn't fire and the handler doesn't run securedrop_init.py.

[rmol]

Nope, copy with force: yes still only copies the file if the source content differs from the destination.

It looks like we might want to either populate /var/lib/onion/auth outside of the hook, or move the hook to a task instead of a handler?

[zenmonkeykstop]

This is an existing bug iirc - securedrop_init.py also updates the torrc with the v2 HidServAuth changes, so v2 services would have been subject to the same issue.

FWIW I couldn't reproduce on a fresh VM install, but that's probably because the network hook did run when tailsconfig ran.

[zenmonkeykstop]

Moving the hook to a task makes most sense to me.

[conorsch]

Moving the hook to a task makes most sense to me.

Makes sense to me. That's a simple approach, and the only downside is that the hook will run (and bounce tor) every time tailsconfig is run—hardly a major disadvantage.

populate /var/lib/onion/auth outside of the hook

That'd indeed be slightly cleaner, requiring the network hook to bounce only if changes were detected, but it doesn't seem worth the effort in order to provide a stable experience to Admins.

[rmol]

OK. On it. Thanks!

[zenmonkeykstop]

There's an extra directive to be added to torrc to point to the onion_auth directory anyway, so it would still need to be bounced by the hook even if the files were added elsewhere.