Release SecureDrop Client 0.2.1

[eloquence]

The following PRs (excluding docs and dev-only changes) have landed since 0.2.0:

• Prevent addition of duplicated api jobs (app: generic approach to prevent addition of duplicated api jobs #975)
• Move CSS to CSS files and add new tests for stylesheets (Move CSS to CSS files and add new tests for stylesheets #1082, fix placeholder label->widget #1112)
• Delete source widgets for current sync update (delete source widgets for current sync update #1114, fixes Source list doesn't update right away when you delete multiple sources #1113, client crashes when sources are reordered #1116, add-source scheduler crashes app because of unhandled exception #1117)
• Reduce minimum size (reduce minimum size #1103, fixes Support 1366x768 screen resolution #1074)

Now is a good time to prepare another release. Per SemVer I would call this a patch-level release since it comprises only bugfixes / internal changes, hence 0.2.1 as the proposed release version.

Rough breakdown of the release process (borrowing from freedomofpress/securedrop-workstation#547):

• Define test plan based on changelogs in the above PRs, link to test plan from here.
• Perform QA using nightly packages (QA reports should be posted as responses to this ticket.)
• Final package release
• Let pilot orgs know of any fixes that are relevant for them

[eloquence]

• Environment type: Qubes staging
• Client version: 0.2.0-dev-20200709-060143
• Workstation version: 0.4.0
• Server: 1.4.1 (staging environment running in Qubes)

Scenario: Online mode

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • show/hide password functionality works
  • incorrect password cannot log in
  • 2FA token reuse cannot log in after password failure
  • invalid 2FA token cannot log in
  • valid credentials and 2FA can log in

Sources

• after valid login:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the conversation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • ❌ the source is still starred in the source list

Starring behavior

The behavior I'm seeing as follows:

1. I star a bunch of sources.
2. I exit the client.
3. I restart the client and log back into online mode.
4. I see the starring state before 1), until the sync completes. Then all the stars update to their correct values.

(I'm not sure if that's a regression. It's possible I'm only noticing now because I'm testing with a large number of sources, hence slower syncs.)

[sssoleileraaa]

Starring behavior

The behavior I'm seeing as follows:

1. I star a bunch of sources.
2. I exit the client.
3. I restart the client and log back into online mode.
4. I see the starring state before 1), until the sync completes. Then all the stars update to their correct values.

(I'm not sure if that's a regression. It's possible I'm only noticing now because I'm testing with a large number of sources, hence slower syncs.)

Potential explanation:

If you shut down the client before the client database is updated as a result of the server responding with the updated sources, then when you open the client again it'll show whatever is in the client database until the first sync. Jen and I have discussed potentially waiting until the first sync to make sure the client database is up-to-date first, but there would be a long gap between the client starting and information showing up.

[eloquence]

(@creviera confirms that this starring behavior is present in master and it's both minor and a bit tricky so we can revisit separately.)

[eloquence]

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • a reply with a single string of characters longer than 100 chars is displayed correctly
  • ❌ a reply with a line longer than 100 chars is displayed correctly -- known issue, Tracking upstream issue QTBUG-85498 #815
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice ❌ but note new issue Opening DOC, DOCX or ODT in LibreOffice triggers "large window" notification securedrop-workstation#588
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down

[emkll]

Testing in progress, securedrop 0.2.0-dev-20200709

Status: Online mode testing complete. Offline, concurrent and large dataset testing TBD

Scenario: Online mode

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • show/hide password functionality works
  • incorrect password cannot log in
  • 2FA token reuse cannot log in after password failure
  • invalid 2FA token cannot log in
  • valid credentials and 2FA can log in

Sources

• after valid login:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the conversation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • ❌ the source is still starred in the source list when logging into offline mode (but does appear when I log in again)

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • a reply with a single string of characters longer than 100 chars is displayed correctly
  • ❌ a reply with a line longer than 100 chars is displayed correctly Tracking upstream issue QTBUG-85498 #815
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down

Export

• When Export is first clicked on a submission:
  • the "Preparing to export..." message is displayed
  • the sd-devices VM is started
  • the user is prompted to insert an Export USB
  • On clicking Cancel, the prompt closes and the file is not exported
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts an invalid Export USB, attaches it to the sd-devices VM and clicks OK:
    • a message is displayed indicating that the Export USB is invalid and
      the user is prompted to insert a valid device
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts a valid Export USB, attaches it to the sd-devices VM, and clicks OK:
    • the user is prompted for the Export USB's password
  • When the user enters an invalid Export USB password and clicks Submit:
    • a failure message is displayed and the user is prompted to enter the password again
  • When the user enters an valid Export USB password and clicks Submit:
    • the file is saved to the Export USB
• When the user detaches the Export USB and mounts it on another VM or computer:
  • the decrypted submission is available in on the Export USB, in a directory sd-export-<timestamp>/export_data

Print

• When the user clicks Print on a downloaded submission:
  • a "Preparing to print..." message is displayed
  • the sd-devicesVM is started
  • the user is prompted to connect a supported printer
• When the user connects a printer, attaches it to the sd-devices VM, and clicks Continue:
  • a "Printing..." message is displayed
  • the X Printer Panel dialog is displayed with the printer selected
• When the user clicks Print in the X Printer Panel:
  • the submission is printed successflly.

Closing the client

• When the user clicks the main window close button:
  • the client exits.

Scenario: Offline mode without existing data

Prerequisites:

• server is available and contains source test data
• test data includes at least one previously downloaded submission
• test data includes at least one undownloaded submission
• ~/.securedrop_client/data in sd-app is empty, and ~/.securedrop_client/svs.sqlite does not exist (do not delete the entire ~/.securedrop_client directory)
• the sd-devices VM is not running (shut down manually if necessary)
• a supported printer is available, but not attached.

Offline to Online

• When SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• When user clicks Work Offline, login dialog closes and main window opens
• after startup:
  • there is no sync attempt with the server
  • the source list is empty
• When the user clicks the top-left user icon and chooses Sign in:
  • the login dialog is displayed over the main window
• When the user enters valid login details and clicks Log in:
  • the login dialog closes
  • The user icon is updated to reflect the user's details
  • the client is synced with the server and the source list is updated
• When the user selects a source with submissions from the source list:
  • the conversation view is populated with the source conversation
  • the reply panel is active
  • a reply can be sent to the source
  • a submission can be downloaded
  • a downloaded submission can be exported
• When the user clicks the main window close button:
  • the client exits.

Scenario: Offline mode with existing data

Prerequisites:

• server is available and contains source test data
• test data includes at least one previously downloaded submission
• test data includes at least one undownloaded submission
• client data directory has been synced with server in a previous login
• the sd-devices VM is not running (shut down manually if necessary)
• a supported printer is available, but not attached.

Offline to Online

• When SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• When user clicks Work Offline, login dialog closes and main window opens
• after startup:
  • there is no sync attempt with the server
  • the source list is populated with contents of last server sync
• When the user selects a source with submissions from the source list:
  • the conversation view is populated with the source conversation
  • the reply panel is inactive, with a "Sign in" message
  • a previously downloaded submission can be exported
  • a previously downloaded submission can be printed
  • When the user clicks Download on an undownloaded submission, a message is displayed instructing the user to sign in to perform the download
• When the user clicks the top-left user icon and chooses Sign in:
  • the login dialog is displayed over the main window
• When the user enters valid login details and clicks Log in:
  • the login dialog closes
  • The user icon is updated to reflect the user's details
  • source data is synced with the server
• When the user selects a source with submissions from the source list:
  • the conversation view is populated with the source conversation
  • the reply panel is active
  • When the user replies to a source, the reply is added to the source conversation
  • When the user clicks Download on an undownloaded submission, the submission is downloaded and decrypted
  • When the user clicks Export on a submission, the export process can be completed
  • When the user clicks Print on a submission, the print process can be completed
• When the user clicks the main window close button:
  • the client exits.

Scenario: Client and Journalist Interface both in use

Note: this scenario requires access to the Journalist Interface (JI) via
Tor Browser. If the scenario is being tested on Qubes, the JI address can be found
in sd-whonix in /usr/local/etc/torrc.d/50_user.conf. See https://github.com/freedomofpress/securedrop-workstation/wiki/Developer-Tips#how-to-connect-to-the-journalist-interface-in-qubes for instructions on how to connect to the JI in a VM.

Prerequisites:

• server is available and contains source test data
• client data directory is empty

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• after valid login to client:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when the JI address is visited in Tor Browser:
  • JI login page is displayed
• after valid login to JI using same account as for client:
  • sources page is displayed, containing the same sources as the client (order may differ)

Sources, replies, submissions

• when a source is starred in the client:
  • the source is also starred in the JI after a page reload
• when a starred source is unstarred in the JI:
  • the source is also unstarred in the client after next sync.
• when a reply is sent to a source via the client:
• the reply is visible in the JI and can be viewed by the source in the Source Interface
• when a reply is sent to a source via the JI:
  • the reply is visible in the source conversation view after next sync
• when the journalist account used to reply is deleted by an admin in the JI:
  • the next sync is successful
  • the reply is visible in the conversation view
  • the journalist's details are deleted from the client database
• when a reply is deleted by a source:
  • the reply is flagged as having being read in the client
• when an individual file submission is deleted in the JI:
  • the submission is no longer listed in the conversation view
  • the submission files are deleted from the client data directory
• when an individual message is deleted in the JI:
  • the message is no longer listed in the conversation view
  • the messages are deleted from the client database
• when a source is deleted in the JI:
  • the source is no longer listed in the client after next sync
  • files associated with the source are no longer present in the client data directory
• when a source is deleted in the client:
  • the source is no longer listed in the JI after a page reload

Scenario: Large dataset

Prerequisites:

• server is available and contains large source test dataset (256 sources,
  submission sizes ranging from 1-500MB)
• client data directory is empty

Sources

• after valid login:
  • the login dialog closes
  • all source data is downloaded and source list is populated
  • user can scroll to bottom of source list
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the converation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • the source is still starred in the source list

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down

[eloquence]

Stepping through

Scenario: Client and Journalist Interface both in use

today.

[eloquence]

Scenario: Client and Journalist Interface both in use

Environment details: see #1125 (comment)

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• after valid login to client:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when the JI address is visited in Tor Browser:
  • JI login page is displayed
• after valid login to JI using same account as for client:
  • sources page is displayed, containing the same sources as the client (order may differ)

Sources, replies, submissions

• when a source is starred in the client:
  • the source is also starred in the JI after a page reload
• when a starred source is unstarred in the JI:
  • the source is also unstarred in the client after next sync.
• when a reply is sent to a source via the client:
• the reply is visible in the JI and can be viewed by the source in the Source Interface
• when a reply is sent to a source via the JI:
  • the reply is visible in the source conversation view after next sync
• when the journalist account used to reply is deleted by an admin in the JI:
  • the next sync is successful
  • the reply is visible in the conversation view
  • ❌ the journalist's details are deleted from the client database - see below

Deleted journalist details remain in the client database

The STR I followed are:

1. Create a new user tempuser in the JI.
2. Send a reply to a source as that user via the JI.
3. Wait for the client to pick it up.
4. Check contents of users table via sqlite3 installed into sd-app
5. Shut down the client.
6. Create another reply in the JI.
7. Log out, log in as admin.
8. Delete tempuser
9. Log back into client
10. Wait for sync
11. Check contents of users table via sqlite3 installed into sd-app

In step 4) I am finding the tempuser account as expected. In step 11), I am finding tempuser and a user called deleted. I don't see anything in the logs (at default level).

[eloquence]

Scenario: Client and Journalist Interface both in use (continued)

Environment details: see #1125 (comment)

• when a reply is deleted by a source:
  • ❌ the reply is flagged as having being read in the client -- not implemented yet, see Implement "read by source" receipts for journalist replies #889
• when an individual file submission is deleted in the JI:
  • the submission is no longer listed in the conversation view
  • the submission files are deleted from the client data directory
• when an individual message is deleted in the JI:
  • the message is no longer listed in the conversation view
  • the messages are deleted from the client database
• when a source is deleted in the JI:
  • the source is no longer listed in the client after next sync
  • files associated with the source are no longer present in the client data directory
• when a source is deleted in the client:
  • the source is no longer listed in the JI after a page reload

[eloquence]

Environment details: see #1125 (comment)

To test whether the fix for #1113 works in staging, I followed the original STR, modified as follows:

1. Added 150 new sources using qa_loader.py
2. Deleted two sources between syncs
3. Waited for the next sync

The two sources were deleted as expected within a single sync period. Separately, I also performed lots of deletions while a sync was underway without issues.

[eloquence]

Environment details: see #1125 (comment)

To test whether #975 works in staging, I deleted the database and data directory, and re-synced the client in debug mode with 200+ sources, waiting for several rounds of syncs to complete. I then used these commands to verify that reply and message download jobs were not added to the queue repeatedly:

$ grep "Added ReplyDow" client.log | cut -d "'" -f2 | tee 1.log | uniq > 2.log
$ grep "Added MessageDow" client.log | cut -d "'" -f2 | tee 1.log | uniq > 2.log

The cut command is used to extract the job UUIDs. AS expected, 1.log and 2.log were identical in both cases, meaning that no duplicate jobs were inserted. I verified this by spot-checking the logs and double-checking the behavior of the above command pipeline. I also observed that many DuplicateJob ... skipping lines could be found in the DEBUG level logs, as expected.

[eloquence]

Environment details: see #1125 (comment)

To test whether #1103 is working as expected, I inspected a highly populated client, in online and offline mode, in both 1368x768 and 1280x1024. As expected, the client renders normally at 1368, while the bubbles still overflow slightly in 1280.

[eloquence]

Environment details: see #1125 (comment)

To test whether #1116 was resolved, I performed these steps:

1. Open highly populated client (~250 sources)
2. Delete all data via Journalist Interface
3. Run QA loader to create 250 sources while client is running (with defaults, i.e. 50% with replies)
4. Wait for client to sync and observe that no crash occurs

The client did not crash and renders the same results as the Journalist Interface. However, this process somehow resulted in a bunch of disconnected replies, which the client.log records as follows (128 log lines like this for each sync):

2020-07-14 17:39:17,316 - securedrop_client.storage:318(update_replies) ERROR: No source found for reply e8a87dc1-0b74-4dab-ab6d-82ab01e60f7c

Near as I can tell, this is not a bug in the client (I would expect the logs to no longer appear with 1.5.0, as disconnected replies should no longer be returned by the API per freedomofpress/securedrop#5351), but it could be some broken behavior in the deletion logic or the interaction with QA Loader. My guess is that the QA Loader's lock messed everything up, per the error messages below.

[eloquence]

^ Rebooting the staging server resolved the broken session state above, after which the shredder process happily resumed its unfinished work. The ERROR rate in client.log subsequently decreased until it reached zero.

[rmol]

@eloquence Do you still have that log on the app server? I'm curious what the first exception was.

[eloquence]

@rmol I do. The first error I see in /var/log/syslog is:

Jul 14 16:48:09 sd-staging-app python[856]: 2020-07-14 16:48:09,531 INFO Error purging deleted sources: This Session's transaction has been rolled back due to a previous exception during flush. To begin a new transaction with this Session, first issue Session.rollback(). Original exception was: (sqlite3.OperationalError) database is locked
Jul 14 16:48:09 sd-staging-app python[856]: [SQL: DELETE FROM submissions WHERE submissions.id = ?]
Jul 14 16:48:09 sd-staging-app python[856]: [parameters: (390,)]
Jul 14 16:48:09 sd-staging-app python[856]: (Background on this error at: http://sqlalche.me/e/e3q8)

I think it's as with freedomofpress/securedrop#5278, qa_loader is causing a database lock that interferes with other operations.

[eloquence]

This was completed today. Prod environment updated successfully. Closing.