securedrop-admin --uninstall for staging and prod

[emkll]

Status

Ready for review

Description of Changes

Fixes #483

Testing

Dev environment

• make all and make clean completes without error

Staging (or prod) environment

• Build dom0 rpm on this branch
• dom0 rpm installs correctly
• Configure the instance (config.json and sd-journalist.sec) and run securedrop-admin --apply
• securedrop-admin --uninstall completes without error
• Files are absent from /srv/salt and dom0 packages are uninstalled

Checklist

If you have made code changes

• Linter (make flake8) passes in the development environment (this box may
  be left unchecked, as flake8 also runs in CI)

[conorsch]

Ran through the dev-scenario test plan, looks good. While running make clean, I encountered #477, but that's unrelated to the diff in this PR.

[zenmonkeykstop]

Prod environment:

• Build dom0 rpm on this branch
• dom0 rpm installs correctly
• Configure the instance (config.json and sd-journalist.sec) and run securedrop-admin --apply
  FAILS - sd-whonix can't start. complains about a possible DisableNetwork 1 line in config but the problem seems to actually be that /etc/torrc.d/95_whonix.conf is being included twice, pulling in the same HidServAuth definition from /rw/usrlocal/etc/torrc.d/50_user.conf - fixing this manually and continuing...
• securedrop-admin --uninstall completes without error
• Files are absent from /srv/salt and dom0 packages are uninstalled
  FAILS /srv/salt/sd still present containing config.json and sd-journalist.sec. (qubes-template-securedrop-workstation-buster-noarch package listed as available but not installed.)

[emkll]

Thanks @zenmonkeykstop for the review. Note that the presence of the config and the private key in /srv/salt/sd is expected behaviour (see https://github.com/freedomofpress/securedrop-workstation/pull/489/files#diff-332a99bbf5ab27f1effaf2cf03d411ceR115-R117) . However, it seems like since they will be in /usr/share/securedrop-workstation-config as well, and that the installer will re-copy them in place, it might make sense to delete those with this script. Looking into the Whonix issue you've described right now.

[zenmonkeykstop]

I don't think this will fix it tbh, the duplicate comes in via /etc/tor/torrc, as there's an include there for both /etc/torrc.d/ and /etc/torrc.d/95_whonix.conf, which pulls in 95_whonix.conf twice and thus the user conf twice as well

[emkll]

@zenmonkeykstop I've pushed up two commits and this is now ready for re-review. I have tested it twice and it is working locally for me. I am using v2 onion services in my config. Are you using v3?

Here are my config files in sd-whonix (after running make clean / make all on b6b721a):

user@host:~$ cat /etc/tor/torrc
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf

%include /etc/torrc.d/
user@host:~$ ls /etc/tor
tor/     torrc.d/ 
user@host:~$ ls /etc/torrc.d/
95_whonix.conf
user@host:~$ cat /etc/torrc.d/95_whonix.conf 
## Do not edit this file!
## Please create and add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.conf

#### meta start
#### project Whonix
#### category tor and usability
#### gateway_only yes
#### description

%include /usr/local/etc/torrc.d/

#### meta end
user@host:~$ ls /usr/local/etc/torrc.d/
40_tor_control_panel.conf  50_user.conf  backup
user@host:~$ ls /usr/local/etc/torrc.d/
40_tor_control_panel.conf  50_user.conf  backup
user@host:~$ cat /usr/local/etc/torrc.d/50_user.conf 
# Tor user specific configuration file
#
# Add user modifications below this line:
############################################
### BEGIN securedrop-workstation ###
HidServAuth <something>.onion <hidservauth>
### END securedrop-workstation ###
user@host:~$ cat /usr/local/etc/torrc.d/40_tor_control_panel.conf 
# This file is generated by and should ONLY be used by anon-connection-wizard.
# User configuration should go to /usr/local/etc/torrc.d/50_user.conf, not here. Because:
#    1. This file can be easily overwritten by anon-connection-wizard.
#    2. Even a single character change in this file may cause error.
# However, deleting this file will be fine since a new plain file will be generated the next time you run anon-connection-wizard.
DisableNetwork 0

[zenmonkeykstop]

Yeah I don't think this is related to your change, it could be a difference in the prod install vs make all. Rerunning it now to see if I can duplicate. If so, will run with your changes as well and see if that corrects. If not, it will be a separate prod-only issue.

[zenmonkeykstop]

The torrc error is still there with the updated RPM, so I think it's safe to say it's unrelated.

[conorsch]

Ran through the dev scenario test plan again, this time with v2 Onion Service config in config.json, based on discussion in #491. Good news is, the rc.local hotfix @emkll added appears to do the job.

See also https://github.com/freedomofpress/securedrop-workstation/tree/491-config-tests-for-whonix ; those new tests are all passing for me locally on this branch, but were failing on master with v2 onions. Consider squashing and pulling into this branch if anyone agrees.

[kushaldas]

Worked as expected. Approved from my side.

Dev environment

• make all and make clean completes without error

Staging (or prod) environment

• Build dom0 rpm on this branch
• dom0 rpm installs correctly
• Configure the instance (config.json and sd-journalist.sec) and run securedrop-admin --apply
• securedrop-admin --uninstall completes without error
• Files are absent from /srv/salt and dom0 packages are uninstalled

[kushaldas]

See also https://github.com/freedomofpress/securedrop-workstation/tree/491-config-tests-for-whonix ; those new tests are all passing for me locally on this branch, but were failing on master with v2 onions. Consider squashing and pulling into this branch if anyone agrees.

@conorsch these look good to me, we can bring them here before merging.

[zenmonkeykstop]

In prod, as per #492, Whonix Qubes updates fail after the dom0 rpm uninstalled, as a symlink /srv/salt/_tops/base/sd-workstation.top is not removed.

[conorsch]

Re-confirming that the dev scenario works well, with all tests passing, after the addition of the clean-salt script.

[emkll]

thanks @zenmonkeykstop , good catch on the topfile. I've just retested this on a clean install, the issue should now be fixed, note that there will be some warnings in the standard output of the securedrop-admin command due to files being first deleted by clean-salt, and then by the dom0 package uninstall

[zenmonkeykstop]

Prod install just failed with the following:

Traceback (most recent call last):
  File "/usr/bin/securedrop-admin", line 67, in provision_all
    subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/provision-all")])
  File "/usr/lib64/python3.5/subprocess.py", line 271, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['/usr/share/securedrop-workstation-dom0-config/scripts/provision-all']' returned non-zero exit status 20

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/bin/securedrop-admin", line 151, in <module>
    main()
  File "/usr/bin/securedrop-admin", line 131, in main
    provision_all()
  File "/usr/bin/securedrop-admin", line 69, in provision_all
    raise SDAdminException("Error during provision-all")
__main__.SDAdminException: Error during provision-all

Rerunning it as this could well just be an issue with the state of Qubes (this is no longer a fresh install).

[zenmonkeykstop]

Did prod install:

• Fresh install works (modulo another random qrexec timeout on sd-logs which is unrelated to this change`
• uninstall works, including cleanup
• whonix-* VMs can be upgraded after uninstall.

LGTM!