Merge pull request #489 from freedomofpress/483-clean-staging-and-prod

securedrop-admin --uninstall for staging and prod

Makefile

@@ -77,13 +77,7 @@ sd-log: prep-salt ## Provisions SD logging VM
 	sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template,sd-log state.highstate
 
 clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0
-	@echo "Purging Salt config..."
-	@sudo rm -rf /srv/salt/sd
-	@sudo rm -rf /srv/salt/launcher
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'fpf*' -delete
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'sd*' -delete
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'securedrop*' -delete
-	@sudo find /srv/salt/_tops -lname '/srv/salt/sd-*' -delete
+	@./scripts/clean-salt
 
 prep-salt: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-salt

dom0/sd-clean-all.sls

@@ -28,17 +28,16 @@ dom0-reset-power-management-xfce:
     - runas: {{ gui_user }}
 {% endif %}
 
+# Removes all salt-provisioned files (if these files are also provisioned via
+# RPM, they should be removed as part of remove-dom0-sdw-config-files-dev)
 remove-dom0-sdw-config-files:
   file.absent:
     - names:
-      - /opt/securedrop
       - /etc/yum.repos.d/securedrop-workstation-dom0.repo
       - /usr/bin/securedrop-update
       - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
       - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
       - /etc/cron.daily/securedrop-update-cron
-      - /srv/salt/securedrop-update
-      - /srv/salt/update-xfce-settings
       - /usr/share/securedrop/icons
       - /home/{{ gui_user }}/.config/autostart/SDWLogin.desktop
       - /usr/bin/securedrop-login
@@ -47,6 +46,17 @@ remove-dom0-sdw-config-files:
       - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
 
+# Removes files that are provisioned by the dom0 RPM, only for the development
+# environment, since dnf takes care of those provisioned in the RPM
+{% if d.environment == "dev" %}
+remove-dom0-sdw-config-files-dev:
+  file.absent:
+    - names:
+      - /opt/securedrop
+      - /srv/salt/securedrop-update
+      - /srv/salt/update-xfce-settings
+{% endif %}
+
 sd-cleanup-etc-changes:
   file.replace:
     - names:
@@ -94,4 +104,4 @@ sd-cleanup-rpc-policy-grants:
       - DOTALL
     - repl: ''
     - backup: no
-{% endif %}
+{% endif %}

dom0/sd-whonix-hidserv-key.sls

@@ -6,14 +6,20 @@
 # add hidden service auth key to torrc
 {% if d.hidserv.hostname|length == 22 %}
 sd-whonix-hidserv-key:
-  file.append:
+  file.blockreplace:
     - name: /usr/local/etc/torrc.d/50_user.conf
-    - text: HidServAuth {{ d.hidserv.hostname }} {{ d.hidserv.key }}
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: HidServAuth {{ d.hidserv.hostname }} {{ d.hidserv.key }}
 {% else %}
 sd-whonix-hidservv3-directory-path:
-  file.append:
+  file.blockreplace:
     - name: /usr/local/etc/torrc.d/50_user.conf
-    - text: ClientOnionAuthDir /var/lib/tor/keys
+    - append_if_not_found: True
+    - marker_start: "### BEGIN securedrop-workstation ###"
+    - marker_end: "### END securedrop-workstation ###"
+    - content: ClientOnionAuthDir /var/lib/tor/keys
 
 {% set hostname_without_onion = d.hidserv.hostname.split('.')[0] %}
 install-sd-whonix-tor-private-key:

scripts/clean-salt

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Utility script to clean Saltstack config
+# files for the SecureDrop Workstation.
+set -e
+set -u
+set -o pipefail
+
+
+# Hardcoded location of SecureDrop Workstation salt config files
+SDW_SALT_DIR="/srv/salt/sd"
+SALT_DIR="/srv/salt"
+
+echo "Purging Salt config..."
+
+# If SDW Salt config dir already exists, delete all SecureDrop Workstation
+# related Salt files. In production scenarios, most of these will be provisioned
+# by the RPM package, but the top files and configs will not, so we should use a
+# common script to ensure all config is removed.
+
+if [[ ! -d "$SDW_SALT_DIR" ]]; then
+    sudo rm -rf ${SDW_SALT_DIR}
+    sudo rm -rf ${SALT_DIR}/launcher
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'fpf*' -delete
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'sd*' -delete
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'securedrop*' -delete
+    sudo find ${SALT_DIR}/_tops -lname '/srv/salt/sd-*' -delete
+fi

scripts/securedrop-admin.py

@@ -32,6 +32,13 @@ def parse_args():
         action="store_true",
         help="Validate the configuration",
     )
+    parser.add_argument(
+        "--uninstall",
+        default=False,
+        required=False,
+        action="store_true",
+        help="Completely Uninstalls the SecureDrop Workstation",
+    )
     args = parser.parse_args()
 
     return args
@@ -72,6 +79,46 @@ def validate_config(path):
         raise SDAdminException("Error while validating configuration")
 
 
+def perform_uninstall():
+
+    try:
+        subprocess.check_call(
+            ["sudo", "qubesctl", "state.sls", "sd-clean-default-dispvm"]
+        )
+        print("Destroying all VMs")
+        subprocess.check_call(
+            [os.path.join(SCRIPTS_PATH, "scripts/destroy-vm"), "--all"]
+        )
+        subprocess.check_call(
+            [
+                "sudo", "qubesctl", "--skip-dom0", "--targets",
+                "whonix-gw-15", "state.sls", "sd-clean-whonix"
+            ]
+        )
+        print("Reverting dom0 configuration")
+        subprocess.check_call(
+            ["sudo", "qubesctl", "state.sls", "sd-clean-all"]
+        )
+        subprocess.check_call(
+            [os.path.join(SCRIPTS_PATH, "scripts/clean-salt")]
+        )
+        print("Uninstalling Template")
+        subprocess.check_call(
+            ["sudo", "dnf", "-y", "-q", "remove", "qubes-template-securedrop-workstation-buster"]
+        )
+        print("Uninstalling dom0 config package")
+        subprocess.check_call(
+            ["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"]
+        )
+    except subprocess.CalledProcessError:
+        raise SDAdminException("Error during uninstall")
+
+    print(
+        "Instance secrets (Journalist Interface token and Submission private key) are still"
+        "present on disk. You can delete them in /usr/share/securedrop-workstation-dom0-config"
+    )
+
+
 def main():
     args = parse_args()
     if args.validate:
@@ -82,6 +129,16 @@ def main():
         validate_config(SCRIPTS_PATH)
         copy_config()
         provision_all()
+    elif args.uninstall:
+        print(
+            "Uninstalling SecureDrop workstation will uninstall all packages and destroy all VMs"
+        )
+        response = input("Are you sure you would want to uninstall (y/N)? ")
+        if response.lower() != 'y':
+            print("Exiting.")
+            sys.exit(0)
+        else:
+            perform_uninstall()
     else:
         sys.exit(0)
 

tests/test_sd_whonix.py

@@ -61,6 +61,19 @@ def test_sd_whonix_repo_enabled(self):
     def test_logging_configured(self):
         self.logging_configured(vmname=True)
 
+    def test_sd_whonix_verify_tor_config(self):
+        self._run("tor --verify-config")
+
+    def test_whonix_torrc(self):
+        """
+        Ensure Whonix-maintained torrc files don't contain duplicate entries.
+        """
+        torrc_contents = self._get_file_contents("/etc/tor/torrc")
+        duplicate_includes = """%include /etc/torrc.d/
+%include /etc/torrc.d/95_whonix.conf"""
+        self.assertFalse(duplicate_includes in torrc_contents,
+                         "Whonix GW torrc contains duplicate %include lines")
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_Whonix_Tests)