Merge pull request #355 from freedomofpress/341-updates-sd-svs-disp-o…

…n-login Updates sd-svs-disp-template on XFCE login
freedomofpress · Dec 3, 2019 · e7e3ecf · e7e3ecf
2 parents ef7f86f + 296aa80
commit e7e3ecf
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 0 deletions.
diff --git a/dom0/dom0-xfce-desktop-file.j2 b/dom0/dom0-xfce-desktop-file.j2
@@ -0,0 +1,11 @@
+[Desktop Entry]
+Encoding=UTF-8
+Version=0.9.4
+Type=Application
+Name={{ desktop_name }}
+Comment={{ desktop_comment }}
+Exec={{ desktop_exec }}
+OnlyShowIn=XFCE;
+StartupNotify=false
+Terminal=false
+Hidden=false
diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls
@@ -5,6 +5,8 @@ set-fedora-as-default-dispvm:
   cmd.run:
     - name: qubes-prefs default_dispvm fedora-30-dvm
 
+{% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
+
 remove-dom0-sdw-config-files:
   file.absent:
     - names:
@@ -14,6 +16,8 @@ remove-dom0-sdw-config-files:
       - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
       - /etc/cron.daily/securedrop-update-cron
       - /usr/share/securedrop/icons
+      - /home/{{ gui_user }}/.config/autostart/SDWLogin.desktop
+      - /usr/bin/securedrop-login
 
 sd-cleanup-sys-firewall:
   cmd.run:

diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls
@@ -160,3 +160,36 @@ dom0-whonix-ws-14-install-python-futures:
     - require:
       - file: dom0-create-opt-securedrop-directory
       - cmd: dom0-whonix-ws-disable-apt-list
+
+{% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
+
+dom0-login-autostart-directory:
+  file.directory:
+    - name: /home/{{ gui_user }}/.config/autostart
+    - user: {{ gui_user }}
+    - group: {{ gui_user }}
+    - mode: 700
+    - makedirs: True
+
+dom0-login-autostart-desktop-file:
+  file.managed:
+    - name: /home/{{ gui_user }}/.config/autostart/SDWLogin.desktop
+    - source: "salt://dom0-xfce-desktop-file.j2"
+    - template: jinja
+    - context:
+        desktop_name: SDWLogin
+        desktop_comment: Updates SecureDrop Workstation DispVMs at login
+        desktop_exec: /usr/bin/securedrop-login
+    - user: {{ gui_user }}
+    - group: {{ gui_user }}
+    - mode: 664
+    - require:
+      - file: dom0-login-autostart-directory
+
+dom0-login-autostart-script:
+  file.managed:
+    - name: /usr/bin/securedrop-login
+    - source: "salt://securedrop-login"
+    - user: root
+    - group: root
+    - mode: 755
diff --git a/dom0/securedrop-login b/dom0/securedrop-login
@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+"""
+Utility script for SecureDrop Workstation config. Updates the TemplateVM
+used for SDW DispVMs by installing all available apt packages.
+
+The update process is intended to run at XFCE login, via a desktop file.
+"""
+import os
+import subprocess
+import logging
+import time
+import sys
+
+import qubesadmin
+
+
+SCRIPT_NAME = os.path.basename(__file__)
+logger = logging.getLogger(SCRIPT_NAME)
+logging.basicConfig(level=logging.INFO)
+
+
+SDW_DISPVM_TEMPLATE = "sd-svs-disp-template"
+
+
+if __name__ == "__main__":
+    # Wait for the dom0 GUI widgets to load
+    # If we don't wait, a "Houston, we have a problem..." message is displayed
+    # to the user.
+    time.sleep(5)
+
+    # Ensure target VM exists
+    q = qubesadmin.Qubes()
+    if SDW_DISPVM_TEMPLATE not in q.domains:
+        # Log message isn't logged to syslog, only stderr
+        logger.error("VM does not exist: {}".format(SDW_DISPVM_TEMPLATE))
+        sys.exit(1)
+
+    cmd = [
+        "sudo",
+        "qubesctl",
+        "--skip-dom0",
+        "--targets",
+        SDW_DISPVM_TEMPLATE,
+        "state.sls",
+        "update.qubes-vm",
+    ]
+    subprocess.check_call(cmd)