Merge pull request #432 from freedomofpress/406-prod-make-targets

Begins dynamic dev/prod config logic

MANIFEST.in

@@ -1,6 +1,8 @@
 include dom0/*.sls
 include dom0/*.top
 include dom0/*.j2
+include dom0/*.yml
+include dom0/securedrop-admin
 include dom0/securedrop-update
 include dom0/securedrop-login
 include dom0/securedrop-launcher.desktop

Makefile

@@ -6,8 +6,27 @@ ifneq ($(HOST),dom0)
 	exit 1
 endif
 
-## Builds and provisions all VMs required for testing workstation
-all: assert-dom0 validate prep-salt
+all: ## Builds and provisions all VMs required for testing workstation
+	$(MAKE) assert-dom0
+	./scripts/configure-environment --env dev
+	$(MAKE) validate
+	$(MAKE) prep-salt
+	./scripts/provision-all
+
+dev: all ## Builds and provisions all VMs required for testing workstation
+
+prod: ## Configures a PRODUCTION install for pilot use
+	$(MAKE) assert-dom0
+	./scripts/configure-environment --env prod
+	$(MAKE) validate
+	$(MAKE) prep-salt
+	./scripts/provision-all
+
+staging: ## Configures a STAGING install. To be used on test hardware ONLY
+	$(MAKE) assert-dom0
+	./scripts/configure-environment --env staging
+	$(MAKE) validate
+	$(MAKE) prep-salt
 	./scripts/provision-all
 
 dom0-rpm: ## Builds rpm package to be installed on dom0
@@ -67,7 +86,7 @@ clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0
 
 prep-salt: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-salt
-	@./scripts/validate-config
+	@./scripts/validate_config.py
 
 remove-sd-whonix: assert-dom0 ## Destroys SD Whonix VM
 	@./scripts/destroy-vm sd-whonix
@@ -116,7 +135,7 @@ test-gpg: assert-dom0 ## Runs tests for SD GPG functionality
 	python3 -m unittest -v tests.test_gpg
 
 validate: assert-dom0 ## Checks for local requirements in dev env
-	@./scripts/validate-config
+	@./scripts/validate_config.py
 
 .PHONY: flake8
 flake8: ## Lints all Python files with flake8

README.md

@@ -16,8 +16,8 @@ This project aims to improve journalists' experience working with SecureDrop whi
 3. [What's In This Repo?](#whats-in-this-repo)
 2. [Installation](#installation)
    - [Install Qubes](#install-qubes)
-   - [Download, Configure, Copy to `dom0`](#download-configure-copy-to-dom0)
-   - [Provision the VMs](#provision-the-vms)
+   - [Production and Staging Environments](#production-and-staging-environments)
+   - [Developement Environment](#development-environment)
 3. [Development](#development)
    - [Testing](#testing)
    - [Automatic Updates](#automatic-updates)
@@ -117,7 +117,78 @@ qubes-update-gui
 
 Select all VMs marked as **updates available**, then click **Next**. Once all updates have been applied, you're ready to proceed.
 
-### Download, Configure, Copy to `dom0`
+### Production and Staging Environments
+
+** THE STAGING ENVIRONMENT SHOULD NOT BE USED FOR PRODUCTION PURPOSES **
+If would still like to use staging, replace the keys, fingerprint, URLs and `config.json` in the following instructions to their staging-specific values.
+
+#### Download and install securedrop-workstation-dom0-config package
+
+Since `dom0` does not have network access, we will need to download it in a Fedora-based VM. We can use the default Qubes-provisioned `work` VM. If using an AppVM, these changes won't persist reboots (recommended).
+
+In a terminal in `work`, run the following commands:
+
+1. Download the signing key:
+
+```
+# Receive and import the key
+[user@work ~]$ gpg --keyserver hkps://keys.openpgp.org --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
+```
+
+2. Configure the RPM package repository:
+
+```
+[user@work ~]$ gpg --armor --export 22245C81E3BAEB4138B36061310F561200F4AD77 | sudo tee /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+```
+
+Populate `/etc/yum/repos.d/securedrop-temp.repo` with the following contents:
+```
+[securedrop-workstation-temporary]
+gpgcheck=1
+gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+enabled=1
+baseurl=https://yum.securedrop.org/workstation/dom0/f25
+name=SecureDrop Workstation Qubes initial install bootstrap
+```
+
+3. Download the RPM package
+```
+[user@work ~]$ sudo dnf download securedrop-workstation-dom0-config
+```
+
+The RPM file will be downloaded to your current working directory.
+
+4. Transfer and install RPM package in `dom0`
+
+*Understand that [copying data to dom0](https://www.qubes-os.org/doc/copy-from-dom0/#copying-to-dom0) goes against the grain of the Qubes security philosophy, and should only done with trusted code and for very specific purposes. Still, be aware of the risks, especially if you rely on your Qubes installation for other sensitive work.*
+
+In `dom0`, run:
+
+```
+[dom0]$ qvm-run --pass-io work '/home/user/securedrop-workstation-dom0-config-x.y.z-1.fc25.noarch.rpm' > securedrop-workstation.rpm
+sudo dnf install securedrop-workstation.rpm
+```
+
+The provisioning scrips and tools should now be in place, you are now ready to proceed to the workstation configuration step.
+
+#### Configure the Workstation
+
+Your workstation configuration will reside in `/usr/share/securedrop-workstation-dom0-config/` and will contain configuration information specific to your SecureDrop instance:
+
+1. Populate `config.json` with your instance-specific variables. Set `environment` to `staging`
+2. Move your submission private key as `sd-journalist.sec`
+
+#### Provision the VMs
+
+In a terminal in `dom0`, run the following commands:
+
+```
+[dom0]$ securedrop-admin --apply
+```
+
+### Development environment
+
+#### Download, Configure, Copy to `dom0`
 
 Decide on a VM to use for development. We suggest creating a standalone VM called `sd-dev`. Clone this repo to your preferred location on that VM.
 
@@ -154,8 +225,9 @@ Doing so will permit the `sd-dev` AppVM to make RPC calls with the same privileg
 
 **NOTE:** The destination directory on `dom0` is not customizable; it must be `securedrop-workstation` in your home directory.
 
-### Provision the VMs
+#### Provision the VMs
 
+Before provisioning the VMs, ensure your `environment` key is set to `dev` in `config.json`.
 Once the configuration is done and this directory is copied to `dom0`, you must update existing Qubes templates and use `make` to handle all provisioning and configuration by your unprivileged user:
 
 ```

VERSION

@@ -1 +1 @@
-0.1.1
+0.1.2

config.json.example

@@ -4,8 +4,9 @@
     "hostname": "avgfxawdn6c3coe3.onion",
     "key": "Il8Xas7uf6rjtc0LxYwhrx"
   },
+  "environment": "prod",
   "vmsizes": {
-        "sd_app": 10,
-        "sd_log": 5
-      }
+     "sd_app": 10,
+     "sd_log": 5
+  }
 }

dom0/fpf-apt-test-repo.sls

@@ -9,6 +9,9 @@
 #
 include:
   - update.qubes-vm
+#  - sd-default-config
+
+{% from 'sd-default-config.sls' import sdvars with context %}
 
 # That's right, we need to install a package in order to
 # configure a repo to install another package
@@ -23,9 +26,9 @@ install-python-apt-for-repo-config:
 
 configure-apt-test-apt-repo:
   pkgrepo.managed:
-    - name: "deb [arch=amd64] https://apt-test-qubes.freedom.press {{ grains['oscodename'] }} main"
+    - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} main"
     - file: /etc/apt/sources.list.d/securedrop_workstation.list
-    - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc"
+    - key_url: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
     - clean_file: True # squash file to ensure there are no duplicates
     - require:
       - pkg: install-python-apt-for-repo-config

dom0/sd-clean-all.sls

@@ -16,6 +16,7 @@ remove-dom0-sdw-config-files:
       - /opt/securedrop
       - /etc/yum.repos.d/securedrop-workstation-dom0.repo
       - /usr/bin/securedrop-update
+      - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
       - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
       - /etc/cron.daily/securedrop-update-cron
       - /usr/share/securedrop/icons
@@ -29,8 +30,10 @@ remove-dom0-sdw-config-files:
 sd-cleanup-sys-firewall:
   cmd.run:
     - names:
+      - qvm-run sys-firewall 'sudo rm -f /rw/config/RPM-GPG-KEY-securedrop-workstation'
       - qvm-run sys-firewall 'sudo rm -f /rw/config/RPM-GPG-KEY-securedrop-workstation-test'
       - qvm-run sys-firewall 'sudo rm -f /rw/config/sd-copy-rpm-repo-pubkey.sh'
+      - qvm-run sys-firewall 'sudo rm -f /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation'
       - qvm-run sys-firewall 'sudo rm -f /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test'
       - qvm-run sys-firewall 'sudo perl -pi -E "s#^/rw/config/sd-copy-rpm-repo-pubkey.sh##" /rw/config/rc.local'
 

dom0/sd-default-config.sls

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+##
+# Handles loading of config variables, via environment-specific
+# setting in the config file.
+
+# Load YAML vars file
+{% load_yaml as sdvars_defaults %}
+{% include "sd-default-config.yml" %}
+{% endload %}
+
+# Load JSON config file
+{% import_json "sd/config.json" as d %}
+
+# Respect "dev" env if provided, default to "prod"
+{% if d.environment == "dev" or d.environment == "staging" %}
+  {% set sdvars = sdvars_defaults["dev"] %}
+{% else %}
+  {% set sdvars = sdvars_defaults["prod"] %}
+{% endif %}

dom0/sd-default-config.yml

@@ -0,0 +1,11 @@
+---
+# Production variables, for use with real-world installs
+prod:
+  dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25"
+  apt_repo_url: "https://apt.freedom.press"
+  signing_key_filename: "securedrop-release-signing-pubkey.asc"
+# Development variables, suited for use during local development
+dev:
+  dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25"
+  apt_repo_url: "https://apt-test.freedom.press"
+  signing_key_filename: "apt-test-pubkey.asc"

dom0/sd-dom0-files.sls

@@ -12,21 +12,24 @@ include:
   # as well as ensures the latest versions of Whonix are installed.
   - qvm.anon-whonix
 
+# Imports "sdvars" for environment config
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 dom0-rpm-test-key:
   file.managed:
     # We write the pubkey to the repos config location, because the repos
     # config location is automatically sent to dom0's UpdateVM. Otherwise,
     # we must place the GPG key inside the fedora-30 TemplateVM, then
     # restart sys-firewall.
-    - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
-    - source: "salt://sd/sd-workstation/apt-test-pubkey.asc"
+    - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
+    - source: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
     - user: root
     - group: root
     - mode: 644
 
 dom0-rpm-test-key-import:
   cmd.run:
-    - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
+    - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
     - require:
       - file: dom0-rpm-test-key
 
@@ -42,9 +45,9 @@ dom0-workstation-rpm-repo:
     - contents: |
         [securedrop-workstation-dom0]
         gpgcheck=1
-        gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
+        gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
         enabled=1
-        baseurl=https://yum-test.securedrop.org/workstation/dom0/f25
+        baseurl={{ sdvars.dom0_yum_repo_url }}
         name=SecureDrop Workstation Qubes dom0 repo
     - require:
       - file: dom0-rpm-test-key
@@ -192,3 +195,21 @@ dom0-securedrop-launcher-desktop-shortcut:
     - user: {{ gui_user }}
     - group: {{ gui_user }}
     - mode: 755
+
+{% import_json "sd/config.json" as d %}
+{% if d.environment == "dev" %}
+dom0-remove-securedrop-workstation-dom0-config:
+  pkg.removed:
+    - pkgs:
+      - securedrop-workstation-dom0-config
+
+{% else %}
+
+dom0-install-securedrop-workstation-dom0-config:
+  pkg.installed:
+    - pkgs:
+      - securedrop-workstation-dom0-config
+    - require:
+      - file: dom0-workstation-rpm-repo
+
+{% endif %}

dom0/sd-sys-firewall-files.sls

@@ -1,10 +1,13 @@
 # -*- coding: utf-8 -*-
 # vim: set syntax=yaml ts=2 sw=2 sts=2 et :
 #
+
+{% from 'sd-default-config.sls' import sdvars with context %}
+
 sys-firewall-rpm-test-key:
   file.managed:
-    - name: /rw/config/RPM-GPG-KEY-securedrop-workstation-test
-    - source: "salt://sd/sd-workstation/apt-test-pubkey.asc"
+    - name: /rw/config/RPM-GPG-KEY-securedrop-workstation
+    - source: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}"
     - user: root
     - group: root
     - mode: 644

rpm-build/SPECS/securedrop-workstation-dom0-config.spec

@@ -1,12 +1,12 @@
 Name:		securedrop-workstation-dom0-config
-Version:	0.1.1
+Version:	0.1.2
 Release:	1%{?dist}
 Summary:	SecureDrop Workstation
 
 Group:		Library
 License:	GPLv3+
 URL:		https://github.com/freedomofpress/securedrop-workstation
-Source0:	securedrop-workstation-dom0-config-0.1.1.tar.gz
+Source0:	securedrop-workstation-dom0-config-0.1.2.tar.gz
 
 BuildArch:      noarch
 BuildRequires:	python3-setuptools
@@ -46,12 +46,14 @@ install -m 755 -d %{buildroot}/srv/salt/sd/usb-autoattach
 install -m 644 dom0/*.sls %{buildroot}/srv/salt/
 install -m 644 dom0/*.top %{buildroot}/srv/salt/
 install -m 644 dom0/*.j2 %{buildroot}/srv/salt/
+install -m 644 dom0/*.yml %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-update %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/
 install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/
 install -m 655 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/
 # The next file should get installed via RPM not via salt
 install -m 755 dom0/securedrop-update %{buildroot}/srv/salt/securedrop-update
+install -m 755 scripts/securedrop-admin.py %{buildroot}/%{_bindir}/securedrop-admin
 install -m 644 sd-app/* %{buildroot}/srv/salt/sd/sd-app/
 install -m 644 sd-proxy/* %{buildroot}/srv/salt/sd/sd-proxy/
 install -m 644 sd-whonix/* %{buildroot}/srv/salt/sd/sd-whonix/
@@ -68,6 +70,7 @@ install -m 644 launcher/sdw_updater_gui/*.py %{buildroot}/opt/securedrop/launche
 %{python3_sitelib}/securedrop_workstation_dom0_config*
 %{_datadir}/%{name}
 %{_bindir}/securedrop-update
+%{_bindir}/securedrop-admin
 /srv/salt/sd*
 /srv/salt/dom0-xfce-desktop-file.j2
 /srv/salt/securedrop-*
@@ -81,6 +84,9 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \
     | xargs qubesctl top.enable > /dev/null
 
 %changelog
+* Mon Feb 03 2020 Mickael E. <[email protected]> - 0.1.2
+- Provides dev/staging/prod split logic.
+
 * Fri Jan 10 2020 redshiftzero <[email protected]> - 0.1.1
 - First alpha release.