Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Eliminate flag-for-reply process #5954

Merged
merged 3 commits into from
Jun 7, 2021
Merged

Conversation

rmol
Copy link
Contributor

@rmol rmol commented May 19, 2021

Status

Ready for review

Description of Changes

Fixes #1584.

This PR removes the haveged package, the checks of the entropy pool before generating source keypairs, and asynchronous source key generation. Source keys are now generated if they don't exist whenever a source visits /lookup or submits something, and the Source.flagged column and all associated code have been removed. The flag route in the journalist API is now a no-op, always returning a 200 status with a message explaining that the action is no longer needed. The is_flagged attribute of the JSON representation of sources returned from the API is now always false.

Testing

  • git checkout 1584-trust-in-disorder
  • make dev
  • Visit the source interface and create a new source.
  • In the container (docker exec -it securedrop-dev-0 bash) run sqlite3 /var/lib/securedrop/db.sqlite "select id, filesystem_id from sources order by id" and gpg --homedir /var/lib/securedrop/keys/ --list-keys to verify that the new source has a key.
  • Log in as a journalist. Navigate to any individual source page and confirm that it says "You can write a secure reply to the person who submitted these messages and/or files:".
  • Get into the dev container with docker exec -it securedrop-dev-0 bash.
  • Find the filesystem ID of the source you logged in as: sqlite3 /var/lib/securedrop/db.sqlite "select filesystem_id from sources where journalist_designation = 'its-journalist-designation'"
  • Delete the GPG keys of the source:
    • gpg --homedir /var/lib/securedrop/keys --yes --pinentry-mode=loopback --delete-secret-keys FILESYSTEM_ID
    • gpg --homedir /var/lib/securedrop/keys --yes --pinentry-mode=loopback --delete-keys FILESYSTEM_ID
  • Delete the key fingerprint cache in Redis: redis-cli del sd/crypto-util/fingerprints
  • As the journalist, reload the source page and confirm that it says: "This source has no encryption key. An encryption key will be generated for the source the next time they log in, after which you will be able to reply to the source here."
  • Submit a message as the source.
  • As the journalist, reload the source page. It should again allow you to reply to the source.
  • Log out of the source interface.
  • Delete the source's GPG keypair and clear the Redis fingerprint cache again.
  • Confirm that the journalist can no longer reply.
  • Log in as the source.
  • Confirm that the journalist can again reply.

Deployment

What could go wrong? 🙂

I believe the changed logic will cover existing cases of sources without keys. Any source that was flagged for reply should get a key the next time they log in, simply because they don't have a key. The changed messaging in the journalist interface could be confusing for journalists who've had to flag sources for reply, but the effective flow is the same: you just have to wait for the source to return.

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container

If you made changes to the system configuration:

If you added or removed a file deployed with the application:

  • I have updated AppArmor rules to include the change

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

rmol added 3 commits May 19, 2021 10:57
The changes in sources of randomness in Linux, and libgcrypt's use of
them, have eliminated any need there might have been to check the
amount of entropy available. Keypair generation takes less than a
second on current CPUs. There's no need to defer key generation or to
perform it asynchronously.
@rmol rmol requested a review from a team as a code owner May 19, 2021 15:43
@eloquence eloquence added this to the 2.0.0 milestone May 20, 2021
source.flagged = True
db.session.commit()
return jsonify({'message': 'Source flagged for reply'}), 200
return jsonify({'message': 'Sources no longer need to be flagged for reply'}), 200
Copy link
Member

@eloquence eloquence May 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be worth marking the endpoint explicitly as deprecated, to be removed in a future release.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we can mark it as deprecated in the documentation, then we don't have to update this PR.

@kushaldas kushaldas self-assigned this Jun 3, 2021
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went through the whole test steps, and also visually inspected the code changes.

We should mark the API deprecation in the documentation, other than this I am okay with this change.

source.flagged = True
db.session.commit()
return jsonify({'message': 'Source flagged for reply'}), 200
return jsonify({'message': 'Sources no longer need to be flagged for reply'}), 200
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we can mark it as deprecated in the documentation, then we don't have to update this PR.

Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

visually reviewed the diff and am relying on kushal's functional review, this LGTM!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Get rid of entropy checks
5 participants