Merge pull request #263 from freedomofpress/svs_disp_libre

Fixes #205 installs libreoffice in svs disp
freedomofpress · Jun 7, 2019 · b49c5f2 · b49c5f2
2 parents 7729205 + 5b548ad
commit b49c5f2
Show file tree

Hide file tree

Showing 9 changed files with 64 additions and 10 deletions.
diff --git a/dom0/sd-export.sls b/dom0/sd-export.sls
@@ -32,6 +32,9 @@ sd-export-usb-dvm:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-export-template
 

diff --git a/dom0/sd-svs-disp-files.sls b/dom0/sd-svs-disp-files.sls
@@ -19,3 +19,11 @@ sd-svs-disp-install-mimetype-handler-package:
       - securedrop-workstation-svs-disp
     - require:
       - sls: fpf-apt-test-repo
+
+sd-svs-disp-install-libreoffice:
+  pkg.installed:
+    - name: libreoffice
+    - retry:
+        attempts: 3
+        interval: 60
+    - install_recommends: False
diff --git a/dom0/sd-svs-disp.sls b/dom0/sd-svs-disp.sls
@@ -36,5 +36,8 @@ sd-svs-disp:
       - add:
         - sd-workstation
         - sd-svs-disp-vm
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-disp-template
diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls
@@ -34,6 +34,9 @@ sd-svs:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - qvm: sd-svs-template
 

diff --git a/dom0/sd-workstation-template-files.sls b/dom0/sd-workstation-template-files.sls
@@ -10,3 +10,13 @@ sd-workstation-template-install-kernel-config-packages:
       - securedrop-workstation-grsec
     - require:
       - sls: fpf-apt-test-repo
+
+# Ensure that paxctld starts immediately. For AppVMs,
+# use qvm.features.enabled = ["paxctld"] to ensure service start.
+sd-workstation-template-enable-paxctld:
+  service.running:
+    - name: paxctld
+    - enable: True
+    - reload: True
+    - require:
+      - pkg: sd-workstation-template-install-kernel-config-packages
diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls
@@ -14,5 +14,8 @@ sd-workstation-template:
     - tags:
       - add:
         - sd-workstation
+    - features:
+      - enable:
+        - service.paxctld
     - require:
       - pkg: dom0-install-securedrop-workstation-template
diff --git a/tests/test_svs.py b/tests/test_svs.py
@@ -27,16 +27,6 @@ def test_sd_client_package_installed(self):
         self.assertTrue(self._package_is_installed("securedrop-client"))
 
 
-class SD_SVS_Disp_Tests(SD_VM_Local_Test):
-    def setUp(self):
-        self.vm_name = "sd-svs-disp"
-        super(SD_SVS_Disp_Tests, self).setUp()
-
-    def test_sd_client_package_installed(self):
-        pkg = "securedrop-workstation-svs-disp"
-        self.assertTrue(self._package_is_installed(pkg))
-
-
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Tests)
     return suite
diff --git a/tests/test_svs_disp.py b/tests/test_svs_disp.py
@@ -0,0 +1,21 @@
+import unittest
+
+from base import SD_VM_Local_Test
+
+
+class SD_SVS_Disp_Tests(SD_VM_Local_Test):
+    def setUp(self):
+        self.vm_name = "sd-svs-disp"
+        super(SD_SVS_Disp_Tests, self).setUp()
+
+    def test_sd_svs_disp_config_package_installed(self):
+        pkg = "securedrop-workstation-svs-disp"
+        self.assertTrue(self._package_is_installed(pkg))
+
+    def test_sd_svs_disp_libreoffice_installed(self):
+        self.assertTrue(self._package_is_installed("libreoffice"))
+
+
+def load_tests(loader, tests, pattern):
+    suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Disp_Tests)
+    return suite
diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py
@@ -33,6 +33,16 @@ def _check_kernel(self, vm):
         assert kernel_version.endswith("-grsec")
         assert kernel_version == EXPECTED_KERNEL_VERSION
 
+    def _check_service_running(self, vm, service):
+        """
+        Ensures a given service is running inside a given VM.
+        Uses systemctl is-active to query the service state.
+        """
+        cmd = "systemctl is-active {}".format(service)
+        stdout, stderr = vm.run(cmd)
+        service_status = stdout.decode("utf-8").rstrip()
+        assert service_status == "active"
+
     def test_sd_whonix_config(self):
         vm = self.app.domains["sd-whonix"]
         nvm = vm.netvm
@@ -65,6 +75,7 @@ def test_sd_svs_config(self):
         self.assertFalse(vm.provides_network)
         self.assertFalse(vm.template_for_dispvms)
         self._check_kernel(vm)
+        self._check_service_running(vm, "paxctld")
         self.assertTrue('sd-workstation' in vm.tags)
 
     def test_sd_svs_disp_config(self):
@@ -75,6 +86,7 @@ def test_sd_svs_disp_config(self):
         self.assertFalse(vm.provides_network)
         self.assertTrue(vm.template_for_dispvms)
         self._check_kernel(vm)
+        self._check_service_running(vm, "paxctld")
         self.assertTrue('sd-workstation' in vm.tags)
 
     def test_sd_gpg_config(self):
@@ -97,6 +109,7 @@ def test_sd_workstation_template(self):
         self.assertTrue(vm.kernel == "")
         self.assertTrue('sd-workstation' in vm.tags)
         self._check_kernel(vm)
+        self._check_service_running(vm, "paxctld")
 
     def test_sd_proxy_template(self):
         vm = self.app.domains["sd-proxy-template"]