Support VeraCrypt export devices

[rocodes]

Refs freedomofpress/securedrop-workstation#265

• Add basic detection/of already-unlocked veracrypt drives (Releasing these changes will deprecate the legacy files and should be done in coordination with corresponding client changes)
• Closes [securedrop-export] combine usb-test and disk-test into a single disk-test securedrop-client#1733: Update "preflight check" logic to combine usb preflight checks (disk-test and usb-test). This has other benefits, such as allowing for detection of already-unlocked drives rather than re-prompting for the passphrase.
• Note: in order to accommodate different filesystems that could be inside Veracrypt containers re:mounting permissions, this PR introduces a change from using sudo mount to using disksctl to handle mounting and unmounting. However, I'd appreciate a review re: file system mounting permissions and if we're OK with the changes. It looks like its possible to configure additional restrictions (eg fmask/dmask) and mount options in a configuration file. (see https://wiki.archlinux.org/title/Udisks#Mount_to_/media_(udisks2))
• Another note: I have WIP work that would simplify a lot of the code and logic in sd-export, and would also bring a few other benefits (For example, being able to support multi-partitioned drives as long as they have one correctly-formatted encrypted partition). Here it is.

Test Plan

• Provision 2 export USBs: one one-partition USB with LUKS, and one one-partition USB with Veracrypt. Veracrypt provisioning instructions here.
• The most basic test plan would be to just build a .deb from the tip of this branch, install it in any Debian-based VM, and experiment with running send-to-usb /path/to/export/tarball.sd_export (with a USB plugged in, unplugged, etc). The script should always exit 0 and should always print a string result to stdout. There are minimal sample tarballs included in securedrop_export/tests/files for convenience.
• This doesn't test inter-VM communications, but starting with that test plan and ensuring results are as expected should allow for testing in conjunction with sd-app (test plan covers multi-vm testing).

Expected results

• No USBs connected: NO_DEVICE_DETECTED
• > 1 USBs connected: MULTI_DEVICE_DETECTED
• Unsupported device connected (could be: device has 2 or more partitions, device has unrecognized encryption scheme, device is a locked VeraCrypt drive, which we won't support for now due to difficulty with error handling, or malformed device): INVALID_DEVICE_DETECTED
• 1 LUKS-formatted USB connected and it's locked: DEVICE_LOCKED
• 1 LUKS-formatted device (partition or whole device encrypted) connected and it's unlocked: DEVICE_WRITABLE (and device will be mounted in /media/user), or SUCCESS_EXPORT (depending on the command in metadata.json).
• 1 Veracrypt-formatted device (parition or whole device encrypted) and it's unlocked: same as above
• Other error statuses are fairly self explanatory (ERROR_MOUNT, ERROR_CLEANUP, etc)

[cfm]

Per handoff today: @legoktm will finalize tests next week, and I will review the week following.

[legoktm]

CI is passing! Flipping to ready for review now :)

[legoktm]

Need to change the line above that says "We do not yet support drives that use full-disk encryption with VeraCrypt." ;-)

[cfm]

This is looking good. I've left a few observations and nits inline, plus these questions:

This feels very state-mechanistic especially now that there is varying precision in what we can know about LUKS versus VeraCrypt volumes. We don't have to worry about that here, since send-to-usb is a one-shot action at a particular time, but I'll raise this again in securedrop-client.

Re: #126 (comment):

in order to accommodate different filesystems that could be inside Veracrypt containers re:mounting permissions, this PR introduces a change from using sudo mount to using disksctl to handle mounting and unmounting. However, I'd appreciate a review re: file system mounting permissions and if we're OK with the changes.

I'd like to understand better (before releasing if not as part of reviewing this feature) what you view as the changes in permissions and your concerns about them. For a LUKS volume, at least, the permissions appear unchanged:

user@sd-app:~/QubesIncoming/sd-dev$ ls -al /media/user/
total 12
drwxr-x---+  3 root root 4096 Dec 13 15:48  .
drwxr-xr-x   3 root root 4096 Dec 13 11:54  ..
drwx------  24 user user 4096 Dec 13 15:05 'QA export_transf'

And losing sudo to un/mount devices seems at face value like a good thing, even if sudo is a passwordless operation in a Qubes VM anyway.

Test plan

1. With device: "disk-test": No USBs connected: NO_DEVICE_DETECTED

2. With device: "disk-test": > 1 USBs connected: MULTI_DEVICE_DETECTED

3. With device: "disk-test": Unsupported device connected (could be: device has 2 or more partitions, device has unrecognized encryption scheme, device is a locked VeraCrypt drive, which we won't support for now due to difficulty with error handling, or malformed device): INVALID_DEVICE_DETECTED

No: UNKNOWN_DEVICE_DETECTED (see case [7] below).

5. With device: "disk-test": 1 LUKS-formatted USB connected and it's locked: DEVICE_LOCKED

6. With device: "disk-test": 1 LUKS-formatted device (partition or whole device encrypted) connected and it's unlocked: DEVICE_WRITABLE (and device will be mounted in /media/user), or SUCCESS_EXPORT (depending on the command in metadata.json).

7. With device: "disk":

user@sd-app:~/QubesIncoming/sd-dev$ lsblk /dev/sda
NAME           MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINT
sda              8:0    1 14.3G  0 disk  
└─sda1           8:1    1 14.3G  0 part  
  └─luks-e538abe0-cd9e-4eab-b1d5-fb652acc235b
               254:0    0 14.3G  0 crypt /media/user/QA export_transf
user@sd-app:~/QubesIncoming/sd-dev$ send-to-usb sample_export.sd_export.cfm
Usage:
  udisksctl unmount [OPTION…]

Unmount a filesystem.

Options:
  -p, --object-path         Object to unmount
  -b, --block-device        Block device to unmount
  -f, --force               Force/lazy unmount
  --no-user-interaction     Do not authenticate the user if needed

DEVICE_ERROR

Fix proposed in #126 (comment).

8. 1 Veracrypt-formatted device (parition or whole device encrypted) and it's unlocked: same as above

We shouldn't assume a single partition will be /sdX1:

user@sd-app:~/QubesIncoming/sd-dev$ lsblk
NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
sda       8:0    1 14.3G  0 disk 
└─sda2    8:2    1 14.1G  0 part 
xvda    202:0    0   10G  0 disk 
├─xvda1 202:1    0  200M  0 part 
├─xvda2 202:2    0    2M  0 part 
└─xvda3 202:3    0  9.8G  0 part /
xvdb    202:16   0   10G  0 disk /rw
xvdc    202:32   0   10G  0 disk 
├─xvdc1 202:33   0    1G  0 part [SWAP]
└─xvdc3 202:35   0    9G  0 part 
user@sd-app:~/QubesIncoming/sd-dev$ send-to-usb sample_export.sd_export
Device /dev/sda1 does not exist or access denied.
UNKNOWN_DEVICE_DETECTED

(Will this also be eased by rocodes#1?)

9. Other error statuses are fairly self explanatory (ERROR_MOUNT, ERROR_CLEANUP, etc)

[cfm]

(@legoktm, I will resubmit this review in securedrop-client once this pull request gets migrated there.)

[cfm]

Review copied to freedomofpress/securedrop-client#1669 (review).