Apply conditional logic for yum repo

rely on config.json instead of env vars. We can rely on env vars as jinja templates are evaluated before runtime (https://docs.saltstack.com/en/latest/topics/jinja/index.html) Adds production SD release signing key Necessary for the prod logic. We don't have packages hosted in these prod URLs yet. Adds validate check for target config item Determines the "environment", e.g. dev/prod
freedomofpress · Jan 25, 2020 · 17c3ea4 · 17c3ea4
1 parent 824e658
commit 17c3ea4
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 23 deletions.
diff --git a/dom0/fpf-apt-test-repo.sls b/dom0/fpf-apt-test-repo.sls
@@ -9,7 +9,9 @@
 #
 include:
   - update.qubes-vm
-  - sd-default-config
+#  - sd-default-config
+
+{% from 'sd-default-config.sls' import sdvars with context %}
 
 # That's right, we need to install a package in order to
 # configure a repo to install another package

diff --git a/dom0/sd-default-config.sls b/dom0/sd-default-config.sls
@@ -1,23 +1,15 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 
-# DEBUGGING
-{% set sd_env = salt['environ.get']('SECUREDROP_ENV', default='dev') %}
-# See references:
-#
-#   - https://docs.saltstack.com/en/latest/topics/tutorials/states_pt3.html
-#
-
-
-# Example loading taking from Qubes /srv/salt/top.sls
 
 {% load_yaml as sdvars_defaults %}
 {% include "sd-default-config.yml" %}
 {% endload %}
 
+{% import_json "sd/config.json" as d %}
 
-{% if sd_env == "prod" %}
-{% set sdvars = sdvars_defaults['prod'] %}
+{% if d.target == "dev" %}
+  {% set sdvars = sdvars_defaults['dev'] %}
 {% else %}
-{% set sdvars = sdvars_defaults['dev'] %}
+  {% set sdvars = sdvars_defaults['prod'] %}
 {% endif %}
diff --git a/dom0/sd-default-config.yml b/dom0/sd-default-config.yml
@@ -1,10 +1,9 @@
 ---
-securedrop_defaults:
-  prod:
-    dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25"
-    apt_repo_url: "https://apt.freedom.press"
-    signing_key_filename: "securedrop-release-signing-pubkey.asc"
-  dev:
-    dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25"
-    apt_repo_url: "https://apt-test-qubes.freedom.press"
-    signing_key_filename: "apt-test-pubkey.asc"
+prod:
+  dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25"
+  apt_repo_url: "https://apt.freedom.press"
+  signing_key_filename: "securedrop-release-signing-pubkey.asc"
+dev:
+  dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25"
+  apt_repo_url: "https://apt-test-qubes.freedom.press"
+  signing_key_filename: "apt-test-pubkey.asc"
diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls
@@ -5,14 +5,25 @@
 # Installs dom0 config scripts specific to tracking updates
 # over time. These scripts should be ported to an RPM package.
 ##
+# See references:
+#
+#   - https://docs.saltstack.com/en/latest/topics/tutorials/states_pt3.html
+#
+
+
+# Example loading taking from Qubes /srv/salt/top.sls
+
 
 include:
   # Import the upstream Qubes-maintained anon-whonix settings.
   # The anon-whoni config pulls in sys-whonix and sys-firewall,
   # as well as ensures the latest versions of Whonix are installed.
   - qvm.anon-whonix
   # import vars
-  - sd-default-config
+#
+#  - sd-default-config
+
+{% from 'sd-default-config.sls' import sdvars with context %}
 
 
 dom0-rpm-test-key:

diff --git a/scripts/validate-config b/scripts/validate-config
@@ -32,6 +32,7 @@ class SDWConfigValidator(object):
         self.confirm_onion_config_valid()
         self.confirm_submission_privkey_file()
         self.confirm_submission_privkey_fingerprint()
+        self.confirm_environment_valid()
         self.validate_existing_size()
 
     def confirm_config_file_exists(self):
@@ -42,6 +43,14 @@ class SDWConfigValidator(object):
             msg += "Create from config.json.example"
             raise AssertionError(msg)
 
+    def confirm_environment_valid(self):
+        """
+        The 'target' config item is required to determine
+        whether prod or dev URLs are used for installing packages.
+        """
+        assert "target" in self.config
+        assert self.config["target"] in ("prod", "dev")
+
     def confirm_onion_config_valid(self):
         """
         We support both v2 and v3 Onion Services, so if the values

diff --git a/sd-workstation/securedrop-release-signing-pubkey.asc b/sd-workstation/securedrop-release-signing-pubkey.asc
@@ -0,0 +1,43 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFgIrN8BEACnXQFtRVzlePZL/4wfdsAI0FohKj+v17c9U/JNOOwax2DapJe+
+pQ7jZ8G2kUDLTNTMgZLze/gmOJF28olplMi9sLwBynKbN2xOq6MybxE9NLLeE7/y
+ZfMZrgMSwgHW40udRZEEpe9IYKZP2QXLGFOmRiqiQ0HNp9WKFNTfi03Yx3XEUeeZ
+kap9i0+1sktYBrlnUzXUTJHiUjJTEiI9NX23Vey0NtaveJLzdEQmsYQWaMbX4ECD
+Hz+UNRNrjXv303bJgSGBm53tsvQzd6Lyzk4RGOKKifm4A2RRXf6zZCpRmOJUD5dH
+8eLNeNyJpRY13rzcqp6Sk05n/RJOH9QbClzBT4rAbTtDKIKsutGnPxL+8fwKoaut
+xZjcZLNh712nfiMl07rmgD4by0rp8xe29MIUNkjqg01pckfvUXknRhuo7ZmrAphz
+ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k
+qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc
+XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo
+Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB
+tEVTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs
+ZWFzZS1rZXlAZnJlZWRvbS5wcmVzcz6JAlQEEwEKAD4CGwMFCwkIBwMFFQoJCAsF
+FgIDAQACHgECF4AWIQQiJFyB47rrQTizYGExD1YSAPStdwUCXRqEkwUJBvMLKgAK
+CRAxD1YSAPStd3YjD/4hT5+Q1ZVobUh9Psuv1XYaHTnqJvVxXjheXns9SGqSsvFC
++2O1RVfse+fKaY9lRaG179toKEOEcoyydCpdInlCkhx8Ny9O+pyiH5TawnaKVpRW
+j/9JJGW+Ceaipr1rawOzuG67MplButBFGmA1jPkeH38wcvep+PIUU5ZJ+aXbdrKT
+uWBwKjzjiF2LMsh9Pnn9XN/T5Ph39WR6utsd/wdbb8xdpq4tivUDWV7W7ztG1No9
+exYfftnn6nLF74dLayhHxESE/yUilxR/XDQxvYbcjNAS9OZVKnkrq8o+8bLBKLV1
+le4168rdyVBxrhLCG3wXaWqO4AaECMHSfZR2Lvb/d1wIyMtEcWbRlDwmTDFOQ1XU
+RCR0coeemYeAzt2hF6/tIrrCGmCKllQNN+JegH2MbXG7SjnCbWwWxAWtccf6L7Ht
+BYDe3RWK0VyMwsHVuTakMKzIoH++e8XnmEKf3JFMz27RcgXRFN1Wo4/iRIq/zM+i
+l/wTfN9l3yzojKmwZQvvICITCkeh/1sEspEkzmg74inJVpTEHQCWQ41c5ugPqjHd
+kvpjxZML4B0+9nN9WQvqhRgmjCKnN+PvYw/mBaEfgA36E8pkcyNwnw+VrFgQyQ1R
+FH0yg6P2Y6zaSKLEHkpjzWaCc3sOA/qMFuTw5aUkPj7Go1DMEV/z/xl6tDlM2bQe
+U2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5iQJXBBMBCgBBAhsDBQsJCAcD
+BRUKCQgLBRYCAwEAAh4BAheABQkG8wsqFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcF
+Al0ah20CGQEACgkQMQ9WEgD0rXcqpA//ZD481Wytd1ZXiXIee8I4ekIGpq0UVJuL
+g8Bh0hhH2LTqIMuMVIVQM7/k/xxHBd+kxpAv/sUhJKrY16XBkGzz7v1Rcl29uWUR
+GSPiLl2OehlT8Ahf60Dv4czhlvBdT3lWtYwM2zciOe4Y5mPwqzEgkrxRD2V9XnmO
+8X3giZyaTDz/iiTQ+WMSvjIgVNGBe38tzoofSCSxNk8KfAWtchZhZgR0ZsYRWlUa
+7dT4Syi0KutEXjRfZFneNPWnqfhQZlxsjw5gzTgV792MPDbZAm/1eziGCvPgX01W
+f2eadxSYuJRLtmOBggwo/vC04MWWQbmYgJfOjL8DDWS17cdfLa8IjUYV8MDStWY6
+PDg1gaA5s3UroFh/nOCipoGvq51iSUF/GYd2OJAUd20SjMR+TQgK3lPuX4hMtVId
+4x/xrkoY4q0MZJmrB6ysbpeHhl/HA+ofwScNtyKL3iQHN6oQ8llBoMuF9xFm4xX8
+fn8WHrd+hD0S8hnBkTJ2ckSqJDxzGFu4+6NBhEWtcigzn9iD7HUWljXAUkEfN39I
+jdgaxjrwE3FagE+RCEbdRXDpHYWlyo91YYqFedcT2v/l73twyFw7p3zYskW8pjRZ
+F0Lqvn7fiOzxNi98tVYHqs4L17BOWFQt8MhQr9f590jtGQ/+ufhAb33/E9JFQXUg
+cIYqWzBX7dw=
+=ZsUE
+-----END PGP PUBLIC KEY BLOCK-----