Rebase on latest master and fixes:

* Use securedrop-workstation as template for sd-export-template
* Fix race when copying files to usb key
* Add cryptsetup to sd-export-template

dom0/sd-export-files.sls

@@ -11,6 +11,11 @@
 include:
   - fpf-apt-test-repo
 
+sd-export-template-install-cryptsetup:
+  pkg.installed:
+    - pkgs:
+      - cryptsetup
+
 sd-export-send-to-usb-script:
   file.managed:
     - name: /usr/bin/send-to-usb

dom0/sd-export.sls

@@ -12,8 +12,8 @@ sd-export-template:
   qvm.vm:
     - name: sd-export-template
     - clone:
-      - source: sd-workstation-template
-      - label: yellow
+      - source: securedrop-workstation
+      - label: red
     - tags:
       - add:
         - sd-workstation
@@ -25,7 +25,7 @@ sd-export-usb-dvm:
     - name: sd-export-usb-dvm
     - present:
       - template: sd-export-template
-      - label: yellow
+      - label: red
     - prefs:
       - netvm: ""
       - template_for_dispvms: True
@@ -55,6 +55,8 @@ sd-export-template-sync-appmenus:
 create-named-sd-export-dispvm-and-permanently-attach:
   cmd.run:
     - name: >
+        qvm-kill sd-export-usb || true;
         qvm-remove --force sd-export-usb || true;
         qvm-create --class DispVM --template sd-export-usb-dvm --label red sd-export-usb;
         qvm-usb attach --persistent sd-export-usb {{ d.usb.device }} || true;
+        qvm-tags sd-export-usb add sd-workstation

scripts/list-vms

@@ -6,6 +6,8 @@ set -u
 set -o pipefail
 
 
+# When adding new VMs, ensure the template is listed *after* the AppVMs that
+# use it.
 declare -a sd_workstation_vm_names=(
   sd-gpg
   sd-proxy
@@ -16,9 +18,9 @@ declare -a sd_workstation_vm_names=(
   sd-whonix
   sd-svs-disp
   sd-svs-disp-template
-  sd-export-template
   sd-export-usb-dvm
   sd-export-usb
+  sd-export-template
 )
 
 for vm in "${sd_workstation_vm_names[@]}" ; do

sd-export/send-to-usb

@@ -3,7 +3,6 @@
 import datetime
 import json
 import os
-import shutil
 import subprocess
 import sys
 import tarfile
@@ -83,16 +82,15 @@ if os.path.exists(FILE):
         target_folder_path = os.path.join(MOUNTPOINT, target_folder)
         subprocess.check_call(["mkdir", target_folder_path])
         export_data = os.path.join(tmpdir, folder_name, "export_data/")
-        shutil.move(export_data, target_folder_path)
+        subprocess.check_call(["cp", "-r", export_data, target_folder_path])
 
         # sync the filesystem, unmount drive and lock the luks volume
         # we use call here to ensure they are blocking and avoid races
         subprocess.check_call(["sync"])
         subprocess.check_call(["sudo", "umount", MOUNTPOINT])
         subprocess.check_call(["sudo", "cryptsetup", "luksClose", ENCRYPTED_DEVICE])
-        # race condition when using shutils
         subprocess.check_call(["rm", "-rf", tmpdir])
-    except (subprocess.CalledProcessError, os.OSError) as e:
+    except (subprocess.CalledProcessError, OSError) as e:
         print("An error occurred while mounting disk or copying files to disk:")
         print(e.output)
         sys.exit(0)

tests/test_sd_export.py

@@ -17,6 +17,9 @@ def test_files_are_properly_copied(self):
         self.assertFilesMatch("/usr/share/mime/packages/application-x-sd-export.xml", # noqa
                               "sd-export/application-x-sd-export.xml")
 
+    def test_sd_export_package_installed(self):
+        self.assertTrue(self._package_is_installed("cryptsetup"))
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_Export_Tests)