From 7c4f7f91144f826a37e89049b423e0b7bc73127f Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Wed, 9 Sep 2020 22:27:18 -0400 Subject: [PATCH 01/18] initial stab at small/large templates --- Makefile | 4 ++++ dom0/sd-templates.sls | 39 +++++++++++++++++++++++++++++++++++++++ dom0/sd-workstation.top | 9 +++++++++ 3 files changed, 52 insertions(+) create mode 100644 dom0/sd-templates.sls diff --git a/Makefile b/Makefile index ad05f3a0..d88f8d23 100644 --- a/Makefile +++ b/Makefile @@ -46,6 +46,10 @@ sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs sudo qubesctl --show-output state.sls sd-workstation-buster-template sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template state.highstate +sd-consolidated-templates: prep-dev ## Provisions consolidated templates for SDW AppVMs + sudo qubesctl --show-output state.sls sd-templates + sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-large-buster-template state.highstate + sd-proxy: prep-dev ## Provisions SD Proxy VM sudo qubesctl --show-output state.sls sd-proxy sudo qubesctl --show-output --skip-dom0 --targets sd-proxy-buster-template,sd-proxy state.highstate diff --git a/dom0/sd-templates.sls b/dom0/sd-templates.sls new file mode 100644 index 00000000..938500eb --- /dev/null +++ b/dom0/sd-templates.sls @@ -0,0 +1,39 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +# +# Installs consolidated templateVMs: +# - sd-small-buster-template, to be used for +# sd-app, sd-gpg, sd-log, and sd-proxy +# - sd-large-buster-template, to be used for +# sd-export and sd-viewer +## +include: + - sd-workstation-template + - sd-upgrade-templates + +sd-small-buster-template: + qvm.vm: + - name: sd-small-buster-template + - clone: + - source: securedrop-workstation-buster + - label: red + - tags: + - add: + - sd-workstation + - require: + - sls: sd-workstation-template + + +sd-large-buster-template: + qvm.vm: + - name: sd-large-buster-template + - clone: + - source: securedrop-workstation-buster + - label: red + - tags: + - add: + - sd-workstation + - require: + - sls: sd-workstation-template + diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index b8c6d2ac..3042104f 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -11,6 +11,7 @@ base: - sd-upgrade-templates - sd-dom0-qvm-rpc - sd-sys-whonix-vms + - sd-templates - sd-log - sd-devices - sd-gpg @@ -20,6 +21,14 @@ base: - sd-whonix - sd-remove-unused-templates + sd-small-buster-template: + - sd-logging-setup + - sd-proxy-template-files + - sd-app-files + sd-large-buster-template: + - sd-logging-setup + - sd-devices-files + - sd-viewer-files sd-log-buster-template: - sd-logging-setup sd-devices-buster-template: From 0bd7493ad97f8fa77d9f067d6de0b63efafffbee Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 10 Sep 2020 11:38:08 -0400 Subject: [PATCH 02/18] moved template package installs to their own state files --- dom0/sd-large-template-files.sls | 31 +++++++++++++++++++++++++++++++ dom0/sd-logging-setup.sls | 2 +- dom0/sd-small-template-files.sls | 22 ++++++++++++++++++++++ dom0/sd-workstation.top | 6 ++---- 4 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 dom0/sd-large-template-files.sls create mode 100644 dom0/sd-small-template-files.sls diff --git a/dom0/sd-large-template-files.sls b/dom0/sd-large-template-files.sls new file mode 100644 index 00000000..45cf83de --- /dev/null +++ b/dom0/sd-large-template-files.sls @@ -0,0 +1,31 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# sd-large-template-files +# ======== +# +# Installs packages on large template (used by sd-devices, sd-viewer) +# +## +include: + - fpf-apt-test-repo + - sd-logging-setup + +# FPF repo is setup in "securedrop-workstation" template +install-large-template-securedrop-packages: + pkg.installed: + - pkgs: + - securedrop-workstation-svs-disp + - evince + - securedrop-export + - require: + - sls: fpf-apt-test-repo + +install-libreoffice: + pkg.installed: + - name: libreoffice + - retry: + attempts: 3 + interval: 60 + - install_recommends: False diff --git a/dom0/sd-logging-setup.sls b/dom0/sd-logging-setup.sls index 1be9fe30..0c4f5790 100644 --- a/dom0/sd-logging-setup.sls +++ b/dom0/sd-logging-setup.sls @@ -14,7 +14,7 @@ install-securedrop-log-package: - sls: fpf-apt-test-repo {% endif %} -{% if grains['id'] == "sd-log-buster-template" %} +{% if grains['id'] in ["sd-log-buster-template", "sd-small-buster-template"] %} install-redis-for-sd-log-template: pkg.installed: - pkgs: diff --git a/dom0/sd-small-template-files.sls b/dom0/sd-small-template-files.sls new file mode 100644 index 00000000..e4714ecf --- /dev/null +++ b/dom0/sd-small-template-files.sls @@ -0,0 +1,22 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# sd-small-template-files +# ======== +# +# Installs packages on small template (used by sd-app, sd-gpg, sd-log, sd-proxy) +# +## +include: + - fpf-apt-test-repo + - sd-logging-setup + +# FPF repo is setup in "securedrop-workstation" template +install-small-template-securedrop-packages: + pkg.installed: + - pkgs: + - securedrop-client + - securedrop-proxy + - require: + - sls: fpf-apt-test-repo diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index 3042104f..27bf804f 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -23,12 +23,10 @@ base: sd-small-buster-template: - sd-logging-setup - - sd-proxy-template-files - - sd-app-files + - sd-small-template-files sd-large-buster-template: - sd-logging-setup - - sd-devices-files - - sd-viewer-files + - sd-large-template-files sd-log-buster-template: - sd-logging-setup sd-devices-buster-template: From 9fcd3cf50c48e229733a083ceb5ab3d8a702a61d Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 10 Sep 2020 16:26:00 -0400 Subject: [PATCH 03/18] updating sd-app, sd-log, sd-proxy to use small template --- dom0/sd-app.sls | 19 ++----------------- dom0/sd-log.sls | 20 ++------------------ dom0/sd-proxy.sls | 16 ++-------------- dom0/sd-templates.sls | 4 +++- 4 files changed, 9 insertions(+), 50 deletions(-) diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls index e3c2da04..069a2051 100644 --- a/dom0/sd-app.sls +++ b/dom0/sd-app.sls @@ -12,28 +12,13 @@ include: - sd-workstation-template - sd-upgrade-templates -sd-app-template: - qvm.vm: - - name: sd-app-buster-template - - clone: - - source: securedrop-workstation-buster - - label: yellow - - tags: - - add: - - sd-workstation - - sd-buster - - sd-workstation-updates - - require: - - sls: sd-workstation-template - - sls: sd-upgrade-templates - sd-app: qvm.vm: - name: sd-app - present: - label: yellow - prefs: - - template: sd-app-buster-template + - template: sd-small-buster-template - netvm: "" - tags: - add: @@ -43,7 +28,7 @@ sd-app: - enable: - service.paxctld - require: - - qvm: sd-app-buster-template + - qvm: sd-small-buster-template {% import_json "sd/config.json" as d %} diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index bf93f04c..beb6c8c1 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -6,27 +6,11 @@ # from all SecureDrop related VMs. # This VM has no network configured. ## -include: - - sd-workstation-template - - sd-upgrade-templates - -sd-log-template: - qvm.vm: - - name: sd-log-buster-template - - clone: - - source: securedrop-workstation-buster - - label: red - - tags: - - add: - - sd-workstation - - require: - - sls: sd-workstation-template - sd-log: qvm.vm: - name: sd-log - present: - - template: sd-log-buster-template + - template: sd-small-buster-template - label: red - prefs: - netvm: "" @@ -40,7 +24,7 @@ sd-log: - service.redis - service.securedrop-log - require: - - qvm: sd-log-buster-template + - qvm: sd-small-buster-template # Allow any SecureDrop VM to log to the centralized log VM sd-log-dom0-securedrop.Log: diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls index ca2ee5a1..2309e281 100644 --- a/dom0/sd-proxy.sls +++ b/dom0/sd-proxy.sls @@ -13,25 +13,13 @@ include: - sd-whonix - sd-upgrade-templates -sd-proxy-template: - qvm.vm: - - name: sd-proxy-buster-template - - clone: - - source: securedrop-workstation-buster - - label: blue - - tags: - - add: - - sd-workstation - - sd-buster - - sd-workstation-updates - sd-proxy: qvm.vm: - name: sd-proxy - present: - label: blue - prefs: - - template: sd-proxy-buster-template + - template: sd-small-buster-template - netvm: sd-whonix - autostart: true - tags: @@ -40,7 +28,7 @@ sd-proxy: - sd-buster - require: - qvm: sd-whonix - - qvm: sd-proxy-template + - qvm: sd-small-buster-template # Permit the SecureDrop Proxy to manage Client connections sd-proxy-dom0-securedrop.Proxy: diff --git a/dom0/sd-templates.sls b/dom0/sd-templates.sls index 938500eb..062f66da 100644 --- a/dom0/sd-templates.sls +++ b/dom0/sd-templates.sls @@ -21,9 +21,11 @@ sd-small-buster-template: - tags: - add: - sd-workstation + - sd-buster + - sd-workstation-updates - require: - sls: sd-workstation-template - + - sls: sd-upgrade-templates sd-large-buster-template: qvm.vm: From eaaf21ce286bebda70934f0b2e80c2f529ffa3a9 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 10 Sep 2020 16:38:53 -0400 Subject: [PATCH 04/18] adding the old templates back in for comparison's sake (also so the update logic doesn't break) --- dom0/sd-app.sls | 23 +++++++++++++++++++---- dom0/sd-log.sls | 16 ++++++++++++++++ dom0/sd-proxy.sls | 12 ++++++++++++ 3 files changed, 47 insertions(+), 4 deletions(-) diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls index 069a2051..36994ecc 100644 --- a/dom0/sd-app.sls +++ b/dom0/sd-app.sls @@ -12,6 +12,21 @@ include: - sd-workstation-template - sd-upgrade-templates +sd-app-template: + qvm.vm: + - name: sd-app-buster-template + - clone: + - source: securedrop-workstation-buster + - label: yellow + - tags: + - add: + - sd-workstation + - sd-buster + - sd-workstation-updates + - require: + - sls: sd-workstation-template + - sls: sd-upgrade-templates + sd-app: qvm.vm: - name: sd-app @@ -45,9 +60,9 @@ sd-app-private-volume-size: sd-app-template-sync-appmenus: cmd.run: - name: > - qvm-start --skip-if-running sd-app-buster-template && - qvm-sync-appmenus sd-app-buster-template + qvm-start --skip-if-running sd-small-buster-template && + qvm-sync-appmenus sd-small-buster-template - require: - - qvm: sd-app-buster-template + - qvm: sd-small-buster-template - onchanges: - - qvm: sd-app-buster-template + - qvm: sd-small-buster-template diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index beb6c8c1..14a3b4ed 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -6,6 +6,22 @@ # from all SecureDrop related VMs. # This VM has no network configured. ## +include: + - sd-workstation-template + - sd-upgrade-templates + +sd-log-template: + qvm.vm: + - name: sd-log-buster-template + - clone: + - source: securedrop-workstation-buster + - label: red + - tags: + - add: + - sd-workstation + - require: + - sls: sd-workstation-template + sd-log: qvm.vm: - name: sd-log diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls index 2309e281..007a7aeb 100644 --- a/dom0/sd-proxy.sls +++ b/dom0/sd-proxy.sls @@ -13,6 +13,18 @@ include: - sd-whonix - sd-upgrade-templates +sd-proxy-template: + qvm.vm: + - name: sd-proxy-buster-template + - clone: + - source: securedrop-workstation-buster + - label: blue + - tags: + - add: + - sd-workstation + - sd-buster + - sd-workstation-updates + sd-proxy: qvm.vm: - name: sd-proxy From cd0d92be0d7e58a5db20473a32adc82970bf82a0 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 10 Sep 2020 17:41:20 -0400 Subject: [PATCH 05/18] include sd-templates in appVM state files that use them --- dom0/sd-app.sls | 1 + dom0/sd-log.sls | 1 + dom0/sd-proxy.sls | 1 + dom0/sd-templates.sls | 2 +- 4 files changed, 4 insertions(+), 1 deletion(-) diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls index 36994ecc..d9115d84 100644 --- a/dom0/sd-app.sls +++ b/dom0/sd-app.sls @@ -11,6 +11,7 @@ include: - sd-workstation-template - sd-upgrade-templates + - sd-templates sd-app-template: qvm.vm: diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index 14a3b4ed..425f1b4b 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -9,6 +9,7 @@ include: - sd-workstation-template - sd-upgrade-templates + - sd-templates sd-log-template: qvm.vm: diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls index 007a7aeb..77d19048 100644 --- a/dom0/sd-proxy.sls +++ b/dom0/sd-proxy.sls @@ -12,6 +12,7 @@ include: - sd-whonix - sd-upgrade-templates + - sd-templates sd-proxy-template: qvm.vm: diff --git a/dom0/sd-templates.sls b/dom0/sd-templates.sls index 062f66da..4013cc8f 100644 --- a/dom0/sd-templates.sls +++ b/dom0/sd-templates.sls @@ -4,7 +4,7 @@ # # Installs consolidated templateVMs: # - sd-small-buster-template, to be used for -# sd-app, sd-gpg, sd-log, and sd-proxy +# sd-app, sd-log, and sd-proxy # - sd-large-buster-template, to be used for # sd-export and sd-viewer ## From 4f17c1b0c2a038b890083f09b7a2f77624c09ba3 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 10 Sep 2020 18:44:57 -0400 Subject: [PATCH 06/18] update small templateVM references in Makefile and provisioning script --- Makefile | 6 +++--- scripts/provision-all | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index d88f8d23..2e5c7d79 100644 --- a/Makefile +++ b/Makefile @@ -52,7 +52,7 @@ sd-consolidated-templates: prep-dev ## Provisions consolidated templates for SDW sd-proxy: prep-dev ## Provisions SD Proxy VM sudo qubesctl --show-output state.sls sd-proxy - sudo qubesctl --show-output --skip-dom0 --targets sd-proxy-buster-template,sd-proxy state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-proxy state.highstate sd-gpg: prep-dev ## Provisions SD GPG keystore VM sudo qubesctl --show-output state.sls sd-gpg @@ -60,7 +60,7 @@ sd-gpg: prep-dev ## Provisions SD GPG keystore VM sd-app: prep-dev ## Provisions SD APP VM sudo qubesctl --show-output state.sls sd-app - sudo qubesctl --show-output --skip-dom0 --targets sd-app-buster-template,sd-app state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-app state.highstate sd-whonix: prep-dev ## Provisions SD Whonix VM sudo qubesctl --show-output state.sls sd-whonix @@ -76,7 +76,7 @@ sd-devices: prep-dev ## Provisions SD Export VM sd-log: prep-dev ## Provisions SD logging VM sudo qubesctl --show-output state.sls sd-log - sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template,sd-log state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-log state.highstate prep-dev: assert-dom0 ## Configures Salt layout for SD workstation VMs @./scripts/prep-dev diff --git a/scripts/provision-all b/scripts/provision-all index cb595c09..9838b3dc 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -18,7 +18,7 @@ echo "Set up dom0 config files, including RPC policies, and create VMs" sudo qubesctl --show-output state.highstate echo "Set up logging VMs early" -sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-log-buster-template state.highstate +sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-buster-template state.highstate # Reboot sd-log so it's ready to receive logs from other VMs about to be configured qvm-shutdown --wait sd-log && qvm-start sd-log # Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean) From 9f8cf7ce49348cf2cc5b815a953fe9c35b136c29 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 10 Sep 2020 15:06:14 -0700 Subject: [PATCH 07/18] Removes sd-proxy mimeapps.list handling The sd-proxy mimetype handlers will be configured via the `securedrop-workstation-config` package, same as others. --- dom0/sd-mime-handling.sls | 2 +- dom0/sd-proxy-template-files.sls | 19 -- sd-proxy/mimeapps.list | 297 ------------------------------- 3 files changed, 1 insertion(+), 317 deletions(-) delete mode 100644 sd-proxy/mimeapps.list diff --git a/dom0/sd-mime-handling.sls b/dom0/sd-mime-handling.sls index e0ca2808..fc7d71dd 100644 --- a/dom0/sd-mime-handling.sls +++ b/dom0/sd-mime-handling.sls @@ -12,7 +12,7 @@ # respective AppVMs. ## -{% if grains['id'] in ["sd-viewer", "sd-app", "sd-devices-dvm"] %} +{% if grains['id'] in ["sd-viewer", "sd-app", "sd-devices-dvm", "sd-proxy"] %} sd-private-volume-mimeapps-handling: file.symlink: diff --git a/dom0/sd-proxy-template-files.sls b/dom0/sd-proxy-template-files.sls index 286ee7c6..de9a7a04 100644 --- a/dom0/sd-proxy-template-files.sls +++ b/dom0/sd-proxy-template-files.sls @@ -21,25 +21,6 @@ sd-proxy-do-not-open-here-desktop-file: - mode: 644 - makedirs: True -sd-proxy-configure-mimetypes: - file.managed: - - name: /usr/share/applications/mimeapps.list - - source: salt://sd/sd-proxy/mimeapps.list - - user: user - - group: user - - mode: 644 - - makedirs: True - cmd.run: - - name: sudo update-desktop-database /usr/share/applications - - require: - - file: sd-proxy-configure-mimetypes - - file: sd-proxy-do-not-open-here-desktop-file - - file: sd-proxy-do-not-open-here-script - - onchanges: - - file: sd-proxy-do-not-open-here-script - - file: sd-proxy-do-not-open-here-desktop-file - - file: sd-proxy-configure-mimetypes - # Depends on FPF-controlled apt repo, already present # in underlying "securedrop-workstation" base template. install-securedrop-proxy-package: diff --git a/sd-proxy/mimeapps.list b/sd-proxy/mimeapps.list deleted file mode 100644 index 6146494b..00000000 --- a/sd-proxy/mimeapps.list +++ /dev/null @@ -1,297 +0,0 @@ -[Default Applications] -application/pgp-encrypted=do-not-open.desktop; -application/zip=do-not-open.desktop; -application/x-dia-diagram=do-not-open.desktop; -text/x-vcard=do-not-open.desktop; -text/directory=do-not-open.desktop; -text/calendar=do-not-open.desktop; -application/x-cd-image=do-not-open.desktop; -application/x-raw-disk-image=do-not-open.desktop; -application/x-raw-disk-image-xz-compressed=do-not-open.desktop; -image/x-compressed-xcf=do-not-open.desktop; -image/x-xcf=do-not-open.desktop; -image/x-psd=do-not-open.desktop; -image/x-fits=do-not-open.desktop; -image/bmp=do-not-open.desktop; -image/gif=do-not-open.desktop; -image/x-icb=do-not-open.desktop; -image/x-ico=do-not-open.desktop; -image/x-pcx=do-not-open.desktop; -image/x-portable-anymap=do-not-open.desktop; -image/x-portable-bitmap=do-not-open.desktop; -image/x-portable-graymap=do-not-open.desktop; -image/x-portable-pixmap=do-not-open.desktop; -image/x-xbitmap=do-not-open.desktop; -image/x-xpixmap=do-not-open.desktop; -image/svg+xml=do-not-open.desktop; -application/vnd.ms-word=do-not-open.desktop; -application/vnd.wordperfect=do-not-open.desktop; -application/vnd.sun.xml.writer=do-not-open.desktop; -application/vnd.sun.xml.writer.global=do-not-open.desktop; -application/vnd.sun.xml.writer.template=do-not-open.desktop; -application/vnd.stardivision.writer=do-not-open.desktop; -application/vnd.oasis.opendocument.text=do-not-open.desktop; -application/vnd.oasis.opendocument.text-template=do-not-open.desktop; -application/vnd.oasis.opendocument.text-web=do-not-open.desktop; -application/vnd.oasis.opendocument.text-master=do-not-open.desktop; -application/vnd.openxmlformats-officedocument.wordprocessingml.document=do-not-open.desktop; -application/vnd.openxmlformats-officedocument.wordprocessingml.template=do-not-open.desktop; -application/vnd.ms-excel=do-not-open.desktop; -application/vnd.stardivision.calc=do-not-open.desktop; -application/vnd.sun.xml.calc=do-not-open.desktop; -application/vnd.sun.xml.calc.template=do-not-open.desktop; -application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=do-not-open.desktop; -application/vnd.openxmlformats-officedocument.spreadsheetml.template=do-not-open.desktop; -application/vnd.oasis.opendocument.spreadsheet=do-not-open.desktop; -application/vnd.oasis.opendocument.spreadsheet-template=do-not-open.desktop; -application/vnd.ms-powerpoint=do-not-open.desktop; -application/vnd.stardivision.impress=do-not-open.desktop; -application/vnd.sun.xml.impress=do-not-open.desktop; -application/vnd.sun.xml.impress.template=do-not-open.desktop; -application/vnd.oasis.opendocument.presentation=do-not-open.desktop; -application/vnd.oasis.opendocument.presentation-template=do-not-open.desktop; -application/vnd.openxmlformats-officedocument.presentationml.presentation=do-not-open.desktop; -application/vnd.openxmlformats-officedocument.presentationml.template=do-not-open.desktop; -application/vnd.stardivision.draw=do-not-open.desktop; -application/vnd.sun.xml.draw=do-not-open.desktop; -application/vnd.sun.xml.draw.template=do-not-open.desktop; -application/vnd.oasis.opendocument.graphics=do-not-open.desktop; -application/vnd.oasis.opendocument.graphics-template=do-not-open.desktop; -application/vnd.oasis.opendocument.formula=do-not-open.desktop; -application/vnd.sun.xml.math=do-not-open.desktop; -application/vnd.stardivision.math=do-not-open.desktop; -application/vnd.oasis.opendocument.database=do-not-open.desktop; -application/vnd.sun.xml.base=do-not-open.desktop; -application/pdf=do-not-open.desktop; -application/postscript=do-not-open.desktop; -application/x-qw=do-not-open.desktop; -application/x-gnucash=do-not-open.desktop; -application/vnd.lotus-1-2-3=do-not-open.desktop; -application/x-oleo=do-not-open.desktop; -application/x-gnumeric=do-not-open.desktop; -application/x-xbase=do-not-open.desktop; -application/x-abiword=do-not-open.desktop; -application/x-dvi=do-not-open.desktop; -application/x-catalog=do-not-open.desktop; -application/x-rpm=do-not-open.desktop; -text/csv=do-not-open.desktop; -text/plain=do-not-open.desktop; -text/html=do-not-open.desktop; -application/xhtml+xml=do-not-open.desktop; -inode/directory=do-not-open.desktop; -x-content/blank-cd=do-not-open.desktop; -x-content/blank-dvd=do-not-open.desktop; -x-content/blank-bd=do-not-open.desktop; -x-content/blank-hddvd=do-not-open.desktop; -x-content/video-dvd=do-not-open.desktop; -x-content/video-vcd=do-not-open.desktop; -x-content/video-svcd=do-not-open.desktop; -#x-content/video-bluray=do-not-open.desktop; -#x-content/video-hddvd=do-not-open.desktop; -x-content/audio-cdda=do-not-open.desktop; -x-content/audio-dvd=do-not-open.desktop; -x-content/audio-player=do-not-open.desktop; -x-content/image-dcf=do-not-open.desktop; -x-content/image-picturecd=do-not-open.desktop; -# URI scheme handlers -x-scheme-handler/mailto=do-not-open.desktop; -x-scheme-handler/http=do-not-open.desktop; -x-scheme-handler/https=do-not-open.desktop; -application/mxf=do-not-open.desktop; -application/ogg=do-not-open.desktop; -application/ram=do-not-open.desktop; -application/sdp=do-not-open.desktop; -application/smil=do-not-open.desktop; -application/smil+xml=do-not-open.desktop; -application/vnd.apple.mpegurl=do-not-open.desktop; -application/vnd.ms-wpl=do-not-open.desktop; -application/vnd.rn-realmedia=do-not-open.desktop; -application/x-extension-m4a=do-not-open.desktop; -application/x-extension-mp4=do-not-open.desktop; -application/x-flac=do-not-open.desktop; -application/x-flash-video=do-not-open.desktop; -application/x-matroska=do-not-open.desktop; -application/x-netshow-channel=do-not-open.desktop; -application/x-ogg=do-not-open.desktop; -application/x-quicktime-media-link=do-not-open.desktop; -application/x-quicktimeplayer=do-not-open.desktop; -application/x-shorten=do-not-open.desktop; -application/x-smil=do-not-open.desktop; -application/xspf+xml=do-not-open.desktop; -audio/3gpp=do-not-open.desktop; -audio/ac3=do-not-open.desktop; -audio/AMR=do-not-open.desktop; -audio/AMR-WB=do-not-open.desktop; -audio/basic=do-not-open.desktop; -audio/midi=do-not-open.desktop; -audio/mp2=do-not-open.desktop; -audio/mp4=do-not-open.desktop; -audio/mpeg=do-not-open.desktop; -audio/mpegurl=do-not-open.desktop; -audio/ogg=do-not-open.desktop; -audio/prs.sid=do-not-open.desktop; -audio/vnd.rn-realaudio=do-not-open.desktop; -audio/x-aiff=do-not-open.desktop; -audio/x-ape=do-not-open.desktop; -audio/x-flac=do-not-open.desktop; -audio/x-gsm=do-not-open.desktop; -audio/x-it=do-not-open.desktop; -audio/x-m4a=do-not-open.desktop; -audio/x-matroska=do-not-open.desktop; -audio/x-mod=do-not-open.desktop; -audio/x-mp3=do-not-open.desktop; -audio/x-mpeg=do-not-open.desktop; -audio/x-mpegurl=do-not-open.desktop; -audio/x-ms-asf=do-not-open.desktop; -audio/x-ms-asx=do-not-open.desktop; -audio/x-ms-wax=do-not-open.desktop; -audio/x-ms-wma=do-not-open.desktop; -audio/x-musepack=do-not-open.desktop; -audio/x-pn-aiff=do-not-open.desktop; -audio/x-pn-au=do-not-open.desktop; -audio/x-pn-realaudio=do-not-open.desktop; -audio/x-pn-realaudio-plugin=do-not-open.desktop; -audio/x-pn-wav=do-not-open.desktop; -audio/x-pn-windows-acm=do-not-open.desktop; -audio/x-realaudio=do-not-open.desktop; -audio/x-real-audio=do-not-open.desktop; -audio/x-s3m=do-not-open.desktop; -audio/x-sbc=do-not-open.desktop; -audio/x-scpls=do-not-open.desktop; -audio/x-speex=do-not-open.desktop; -audio/x-stm=do-not-open.desktop; -audio/x-tta=do-not-open.desktop; -audio/x-wav=do-not-open.desktop; -audio/x-wavpack=do-not-open.desktop; -audio/x-vorbis=do-not-open.desktop; -audio/x-vorbis+ogg=do-not-open.desktop; -audio/x-xm=do-not-open.desktop; -image/vnd.rn-realpix=do-not-open.desktop; -image/x-pict=do-not-open.desktop; -misc/ultravox=do-not-open.desktop; -text/google-video-pointer=do-not-open.desktop; -text/x-google-video-pointer=do-not-open.desktop; -video/3gp=do-not-open.desktop; -video/3gpp=do-not-open.desktop; -video/dv=do-not-open.desktop; -video/divx=do-not-open.desktop; -video/fli=do-not-open.desktop; -video/flv=do-not-open.desktop; -video/mp2t=do-not-open.desktop; -video/mp4=do-not-open.desktop; -video/mp4v-es=do-not-open.desktop; -video/mpeg=do-not-open.desktop; -video/msvideo=do-not-open.desktop; -video/ogg=do-not-open.desktop; -video/quicktime=do-not-open.desktop; -video/vivo=do-not-open.desktop; -video/vnd.divx=do-not-open.desktop; -video/vnd.mpegurl=do-not-open.desktop; -video/vnd.rn-realvideo=do-not-open.desktop; -video/vnd.vivo=do-not-open.desktop; -video/webm=do-not-open.desktop; -video/x-anim=do-not-open.desktop; -video/x-avi=do-not-open.desktop; -video/x-flc=do-not-open.desktop; -video/x-fli=do-not-open.desktop; -video/x-flic=do-not-open.desktop; -video/x-flv=do-not-open.desktop; -video/x-m4v=do-not-open.desktop; -video/x-matroska=do-not-open.desktop; -video/x-mpeg=do-not-open.desktop; -video/x-mpeg2=do-not-open.desktop; -video/x-ms-asf=do-not-open.desktop; -video/x-ms-asx=do-not-open.desktop; -video/x-msvideo=do-not-open.desktop; -video/x-ms-wm=do-not-open.desktop; -video/x-ms-wmv=do-not-open.desktop; -video/x-ms-wmx=do-not-open.desktop; -video/x-ms-wvx=do-not-open.desktop; -video/x-nsv=do-not-open.desktop; -video/x-ogm+ogg=do-not-open.desktop; -video/x-theora+ogg=do-not-open.desktop; -video/x-totem-stream=do-not-open.desktop; -x-content/video-dvd=do-not-open.desktop; -x-content/video-vcd=do-not-open.desktop; -x-content/video-svcd=do-not-open.desktop; -x-scheme-handler/pnm=do-not-open.desktop; -x-scheme-handler/mms=do-not-open.desktop; -x-scheme-handler/net=do-not-open.desktop; -x-scheme-handler/rtp=do-not-open.desktop; -x-scheme-handler/rtmp=do-not-open.desktop; -x-scheme-handler/rtsp=do-not-open.desktop; -x-scheme-handler/mmsh=do-not-open.desktop; -x-scheme-handler/uvox=do-not-open.desktop; -x-scheme-handler/icy=do-not-open.desktop; -x-scheme-handler/icyx=do-not-open.desktop; -application/x-7z-compressed=do-not-open.desktop; -application/x-7z-compressed-tar=do-not-open.desktop; -application/x-ace=do-not-open.desktop; -application/x-alz=do-not-open.desktop; -application/x-ar=do-not-open.desktop; -application/x-arj=do-not-open.desktop; -application/x-bzip=do-not-open.desktop; -application/x-bzip-compressed-tar=do-not-open.desktop; -application/x-bzip1=do-not-open.desktop; -application/x-bzip1-compressed-tar=do-not-open.desktop; -application/x-cabinet=do-not-open.desktop; -application/x-cbr=do-not-open.desktop; -application/x-cbz=do-not-open.desktop; -application/x-compress=do-not-open.desktop; -application/x-compressed-tar=do-not-open.desktop; -application/x-cpio=do-not-open.desktop; -application/x-deb=do-not-open.desktop; -application/x-ear=do-not-open.desktop; -application/x-ms-dos-executable=do-not-open.desktop; -application/x-gtar=do-not-open.desktop; -application/x-gzip=do-not-open.desktop; -application/x-gzpostscript=do-not-open.desktop; -application/x-java-archive=do-not-open.desktop; -application/x-lha=do-not-open.desktop; -application/x-lhz=do-not-open.desktop; -application/x-lrzip=do-not-open.desktop; -application/x-lrzip-compressed-tar=do-not-open.desktop; -application/x-lzip=do-not-open.desktop; -application/x-lzip-compressed-tar=do-not-open.desktop; -application/x-lzma=do-not-open.desktop; -application/x-lzma-compressed-tar=do-not-open.desktop; -application/x-lzop=do-not-open.desktop; -application/x-lzop-compressed-tar=do-not-open.desktop; -application/x-ms-wim=do-not-open.desktop; -application/x-rar=do-not-open.desktop; -application/x-rar-compressed=do-not-open.desktop; -application/x-rzip=do-not-open.desktop; -application/x-tar=do-not-open.desktop; -application/x-tarz=do-not-open.desktop; -application/x-stuffit=do-not-open.desktop; -application/x-war=do-not-open.desktop; -application/x-xz=do-not-open.desktop; -application/x-xz-compressed-tar=do-not-open.desktop; -application/x-zip=do-not-open.desktop; -application/x-zip-compressed=do-not-open.desktop; -application/x-zoo=do-not-open.desktop; -application/x-archive=do-not-open.desktop; -application/vnd.ms-cab-compressed=do-not-open.desktop; -application/x-source-rpm=do-not-open.desktop; -image/bmp=do-not-open.desktop; -image/gif=do-not-open.desktop; -image/jpeg=do-not-open.desktop; -image/jpg=do-not-open.desktop; -image/pjpeg=do-not-open.desktop; -image/png=do-not-open.desktop; -image/tiff=do-not-open.desktop; -image/x-bmp=do-not-open.desktop; -image/x-gray=do-not-open.desktop; -image/x-icb=do-not-open.desktop; -image/x-ico=do-not-open.desktop; -image/x-png=do-not-open.desktop; -image/x-portable-anymap=do-not-open.desktop; -image/x-portable-bitmap=do-not-open.desktop; -image/x-portable-graymap=do-not-open.desktop; -image/x-portable-pixmap=do-not-open.desktop; -image/x-xbitmap=do-not-open.desktop; -image/x-xpixmap=do-not-open.desktop; -image/x-pcx=do-not-open.desktop; -image/svg+xml=do-not-open.desktop; -image/svg+xml-compressed=do-not-open.desktop; -image/vnd.wap.wbmp=do-not-open.desktop; From bcb0ca86313fcab9b26a2c155a73fcb0044ea9c4 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 10 Sep 2020 17:00:20 -0700 Subject: [PATCH 08/18] Uses "large" & "small" templates for appropriate VMs With this change, all SDW VMs are using the new consolidated small/large templates. Reuses salt state files in top file The new small & large templates don't need to be configured in their own state files, we can just add references to the top file to assign the old states per vm and consolidate them. Removes unconsolidated templates from config Don't bother to create them if we're not planning on using them. Updates make-dev target to use new consolidated templates sd-gpg: wait for consolidated templates The consolidated templates spike was handled in a different SLS file, which sd-gpg wasn't depending on it. That makes for a race, so let's update the dependency list to ensure proper ordering. Removed old templates and updated tests. Removed definitions for sd-{app,log,proxy}-buster-template VMs. Added back dom0/mimeapps.list, as it's used by config tests. Updated tests to refer to new templates. Updated logging setup to ensure correct config present on non sd-log VMs Consolidates templates via handle-upgrade script The "securedrop-handle-upgrade" script was added in order to migrate from Stretch-based to Buster-based templates. With some small changes to the expected template pattern, we can leverage the same script to handle consolidating the templates. This only handles *creation* of the VMs, it doesn't sort out the apt packages and config logic specific to each Template/App combination. Additional logic will need to be added to the updater to support hands-off consolidation. Uses new pkg securedrop-workstation-viewer Supersedes the securedrop-workstation-sd-svs-disp package, to make the transition to consolidated templates a bit easier, by avoiding dpkg conflicts altogether. Tests for securedrop-workstation-svs-disp absence The package "securedrop-workstation-svs-disp" has been superseded by "securedrop-workstation-viewer", so in testing for presence of one, ensure the absence of the other. Updates the config tests to permit testing package absence; before it was showing a confusing stack trace if package was missing (so error rather than failure). Forces template setting on sd-log Using "prefs" rather than "present" so that the value is updated, not merely set at VM creation time. Sets default mimetype handler for sd-proxy Uses the new sd-mime-handling state and applies it to sd-proxy, so that symlinks for mimetypes are handled appropriately post-template- consolidation. Requires packaging changes that are for now only in a feature branch on the dev packages repo, served via apt-test. Includes a small fix to ensure that the files in private volume are owned by normal user, not root. Removes unused sd-proxy files The do-not-open here files are left over from a prototype of the workstation, no longer required. Tests sd-proxy: use open-in-dvm for mimetypes We've ditched the do-not-open-here logic, so sd-proxy should now default to using open-in-dvm for all filetypes. The config tests now reflect this. Copy/pasted from the sd-app tests, didn't bother to refactor to make it DRY. Fix mimetype private volume perms Using "mode" and "makedirs" together for a symlink led to a broken config: Salt was creating the parent directories with mode 644, so they weren't traversable, so the mimeapps.list file couldn't be read by normal user. Fixed. Handle upgrade script: remove old templates Leverages the "remove" subcommand for the securedrop-handle-upgrade script to purge the old, non-consolidated TemplateVMs after migrating. Moves sd-proxy config to private volume Requires package update to securedrop-proxy, so that the RPC config at /etc/qubes-rpc/securedrop.Proxy references the new filepath. Includes a new test for that file, since we weren't explicitly examining its contents before. Removes legacy sd-proxy config file It shouldn't ever be present post-consolidated, given that the newly created VM never had the /etc/ path configured, but adding anyway as a defensive measure, and also to get the tests passing sooner. Moves consolidated templates into single state We originally had the consolidated templates in their own salt state file, to aid in development, so we could target just that one component. Folding into the pre-existing state file for the base template now, and cleaning up the extra references, mostly to minimize the diff and aid in review. --- Makefile | 4 - dom0/sd-app.sls | 16 -- dom0/sd-devices.sls | 28 +-- dom0/sd-gpg.sls | 4 +- dom0/sd-large-template-files.sls | 31 ---- dom0/sd-log.sls | 14 +- dom0/sd-logging-setup.sls | 10 +- dom0/sd-mime-handling.sls | 26 ++- dom0/sd-proxy-files.sls | 15 ++ dom0/sd-proxy-template-files.sls | 33 +--- dom0/sd-proxy.sls | 13 -- dom0/sd-small-template-files.sls | 22 --- dom0/sd-templates.sls | 41 ----- dom0/sd-viewer-files.sls | 5 +- dom0/sd-viewer.sls | 20 +-- dom0/sd-workstation-template.sls | 33 ++++ dom0/sd-workstation.top | 22 ++- dom0/securedrop-handle-upgrade | 25 ++- sd-proxy/do-not-open-here | 14 -- sd-proxy/do-not-open.desktop | 4 - sd-proxy/mimeapps.list | 297 +++++++++++++++++++++++++++++++ tests/base.py | 10 +- tests/test_dom0_config.py | 9 +- tests/test_proxy_vm.py | 44 +++-- tests/test_viewer.py | 6 +- tests/test_vms_exist.py | 30 ++-- 26 files changed, 492 insertions(+), 284 deletions(-) delete mode 100644 dom0/sd-large-template-files.sls create mode 100644 dom0/sd-proxy-files.sls delete mode 100644 dom0/sd-small-template-files.sls delete mode 100644 dom0/sd-templates.sls delete mode 100755 sd-proxy/do-not-open-here delete mode 100644 sd-proxy/do-not-open.desktop create mode 100644 sd-proxy/mimeapps.list diff --git a/Makefile b/Makefile index 2e5c7d79..122a1673 100644 --- a/Makefile +++ b/Makefile @@ -46,10 +46,6 @@ sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs sudo qubesctl --show-output state.sls sd-workstation-buster-template sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template state.highstate -sd-consolidated-templates: prep-dev ## Provisions consolidated templates for SDW AppVMs - sudo qubesctl --show-output state.sls sd-templates - sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-large-buster-template state.highstate - sd-proxy: prep-dev ## Provisions SD Proxy VM sudo qubesctl --show-output state.sls sd-proxy sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-proxy state.highstate diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls index d9115d84..ffe4023d 100644 --- a/dom0/sd-app.sls +++ b/dom0/sd-app.sls @@ -11,22 +11,6 @@ include: - sd-workstation-template - sd-upgrade-templates - - sd-templates - -sd-app-template: - qvm.vm: - - name: sd-app-buster-template - - clone: - - source: securedrop-workstation-buster - - label: yellow - - tags: - - add: - - sd-workstation - - sd-buster - - sd-workstation-updates - - require: - - sls: sd-workstation-template - - sls: sd-upgrade-templates sd-app: qvm.vm: diff --git a/dom0/sd-devices.sls b/dom0/sd-devices.sls index ade91803..24183252 100644 --- a/dom0/sd-devices.sls +++ b/dom0/sd-devices.sls @@ -9,28 +9,14 @@ include: - sd-workstation-template - sd-upgrade-templates -sd-devices-template: - qvm.vm: - - name: sd-devices-buster-template - - clone: - - source: securedrop-workstation-buster - - label: red - - tags: - - add: - - sd-workstation - - sd-workstation-updates - - require: - - sls: sd-workstation-template - - sls: sd-upgrade-templates - sd-devices-dvm: qvm.vm: - name: sd-devices-dvm - present: - - template: sd-devices-buster-template + - template: sd-large-buster-template - label: red - prefs: - - template: sd-devices-buster-template + - template: sd-large-buster-template - netvm: "" - template_for_dispvms: True - tags: @@ -41,19 +27,19 @@ sd-devices-dvm: - enable: - service.paxctld - require: - - qvm: sd-devices-buster-template + - qvm: sd-large-buster-template # Ensure the Qubes menu is populated with relevant app entries, # so that Nautilus/Files can be started via GUI interactions. sd-devices-template-sync-appmenus: cmd.run: - name: > - qvm-start --skip-if-running sd-devices-buster-template && - qvm-sync-appmenus sd-devices-buster-template + qvm-start --skip-if-running sd-large-buster-template && + qvm-sync-appmenus sd-large-buster-template - require: - - qvm: sd-devices-buster-template + - qvm: sd-large-buster-template - onchanges: - - qvm: sd-devices-buster-template + - qvm: sd-large-buster-template sd-devices-create-named-dispvm: qvm.vm: diff --git a/dom0/sd-gpg.sls b/dom0/sd-gpg.sls index ae5bd410..41706c65 100644 --- a/dom0/sd-gpg.sls +++ b/dom0/sd-gpg.sls @@ -17,10 +17,10 @@ sd-gpg: qvm.vm: - name: sd-gpg - present: - - template: securedrop-workstation-buster + - template: sd-small-buster-template - label: purple - prefs: - - template: securedrop-workstation-buster + - template: sd-small-buster-template - netvm: "" - autostart: true - tags: diff --git a/dom0/sd-large-template-files.sls b/dom0/sd-large-template-files.sls deleted file mode 100644 index 45cf83de..00000000 --- a/dom0/sd-large-template-files.sls +++ /dev/null @@ -1,31 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -## -# sd-large-template-files -# ======== -# -# Installs packages on large template (used by sd-devices, sd-viewer) -# -## -include: - - fpf-apt-test-repo - - sd-logging-setup - -# FPF repo is setup in "securedrop-workstation" template -install-large-template-securedrop-packages: - pkg.installed: - - pkgs: - - securedrop-workstation-svs-disp - - evince - - securedrop-export - - require: - - sls: fpf-apt-test-repo - -install-libreoffice: - pkg.installed: - - name: libreoffice - - retry: - attempts: 3 - interval: 60 - - install_recommends: False diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index 425f1b4b..82bf5776 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -9,19 +9,6 @@ include: - sd-workstation-template - sd-upgrade-templates - - sd-templates - -sd-log-template: - qvm.vm: - - name: sd-log-buster-template - - clone: - - source: securedrop-workstation-buster - - label: red - - tags: - - add: - - sd-workstation - - require: - - sls: sd-workstation-template sd-log: qvm.vm: @@ -30,6 +17,7 @@ sd-log: - template: sd-small-buster-template - label: red - prefs: + - template: sd-small-buster-template - netvm: "" - autostart: true - tags: diff --git a/dom0/sd-logging-setup.sls b/dom0/sd-logging-setup.sls index 0c4f5790..0e5fa919 100644 --- a/dom0/sd-logging-setup.sls +++ b/dom0/sd-logging-setup.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : -{% if "template" in grains['id'] or grains['id'] in ["securedrop-workstation-buster", "whonix-gw-15"] %} +{% if "template" in grains['id'] or grains['id'] in ["securedrop-workstation-buster", "sd-small-buster-template", "sd-large-buster-template", "whonix-gw-15"] %} include: - fpf-apt-test-repo @@ -14,15 +14,12 @@ install-securedrop-log-package: - sls: fpf-apt-test-repo {% endif %} -{% if grains['id'] in ["sd-log-buster-template", "sd-small-buster-template"] %} +{% if grains['id'] in ["sd-small-buster-template", "sd-large-buster-template"] %} install-redis-for-sd-log-template: pkg.installed: - pkgs: - redis-server - redis -remove-sd-rsyslog-config-for-logserver: - file.absent: - - name: /etc/rsyslog.d/sdlog.conf {% elif grains['id'] == "sd-log" %} # Only for the "sd-log" AppVM, configure /rw/config to disable @@ -43,6 +40,9 @@ sd-log-remove-rsyslog-qubes-plugin: - name: /rw/config/rc.local - require: - file: sd-log-remove-rsyslog-qubes-plugin +remove-sd-rsyslog-config-for-logserver: + file.absent: + - name: /etc/rsyslog.d/sdlog.conf {% elif grains['id'] == "sd-gpg" %} # For sd-gpg, we disable logging altogether, since access diff --git a/dom0/sd-mime-handling.sls b/dom0/sd-mime-handling.sls index fc7d71dd..ac827340 100644 --- a/dom0/sd-mime-handling.sls +++ b/dom0/sd-mime-handling.sls @@ -12,12 +12,34 @@ # respective AppVMs. ## -{% if grains['id'] in ["sd-viewer", "sd-app", "sd-devices-dvm", "sd-proxy"] %} +sd-private-volume-mimeapps-config-dir: + file.directory: + - name: /home/user/.local/share/applications + - user: user + - group: user + - makedirs: True + - mode: "0755" + +{% if grains['id'] in ["sd-viewer", "sd-app", "sd-devices-dvm"] %} sd-private-volume-mimeapps-handling: file.symlink: - name: /home/user/.local/share/applications/mimeapps.list - target: /opt/sdw/mimeapps.list.{{ grains['id'] }} - - makedirs: True + - user: user + - group: user + - require: + - file: sd-private-volume-mimeapps-config-dir + +{% else %} + +sd-private-volume-mimeapps-handling: + file.symlink: + - name: /home/user/.local/share/applications/mimeapps.list + - target: /opt/sdw/mimeapps.list.default + - user: user + - group: user + - require: + - file: sd-private-volume-mimeapps-config-dir {% endif %} diff --git a/dom0/sd-proxy-files.sls b/dom0/sd-proxy-files.sls new file mode 100644 index 00000000..cca71a79 --- /dev/null +++ b/dom0/sd-proxy-files.sls @@ -0,0 +1,15 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : +{% import_json "sd/config.json" as d %} + +install-securedrop-proxy-yaml-config: + file.managed: + - name: /home/user/.securedrop_proxy/sd-proxy.yaml + - source: salt://sd/sd-proxy/sd-proxy.yaml + - makedirs: True + - template: jinja + - user: user + - group: user + - context: + hostname: {{ d.hidserv.hostname }} + - mode: 0644 diff --git a/dom0/sd-proxy-template-files.sls b/dom0/sd-proxy-template-files.sls index de9a7a04..bf4c03d3 100644 --- a/dom0/sd-proxy-template-files.sls +++ b/dom0/sd-proxy-template-files.sls @@ -4,23 +4,6 @@ include: - fpf-apt-test-repo - sd-logging-setup -sd-proxy-do-not-open-here-script: - file.managed: - - name: /usr/bin/do-not-open-here - - source: salt://sd/sd-proxy/do-not-open-here - - user: root - - group: root - - mode: 755 - -sd-proxy-do-not-open-here-desktop-file: - file.managed: - - name: /usr/share/applications/do-not-open.desktop - - source: salt://sd/sd-proxy/do-not-open.desktop - - user: root - - group: root - - mode: 644 - - makedirs: True - # Depends on FPF-controlled apt repo, already present # in underlying "securedrop-workstation" base template. install-securedrop-proxy-package: @@ -30,14 +13,8 @@ install-securedrop-proxy-package: - require: - sls: fpf-apt-test-repo - -{% import_json "sd/config.json" as d %} - -install-securedrop-proxy-yaml-config: - file.managed: - - name: /etc/sd-proxy.yaml - - source: salt://sd/sd-proxy/sd-proxy.yaml - - template: jinja - - context: - hostname: {{ d.hidserv.hostname }} - - mode: 0644 +# Remove the legacy config file location +remove-legacy-sd-proxy-config: + file.absent: + - names: + - /etc/sd-proxy.yaml diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls index 77d19048..2309e281 100644 --- a/dom0/sd-proxy.sls +++ b/dom0/sd-proxy.sls @@ -12,19 +12,6 @@ include: - sd-whonix - sd-upgrade-templates - - sd-templates - -sd-proxy-template: - qvm.vm: - - name: sd-proxy-buster-template - - clone: - - source: securedrop-workstation-buster - - label: blue - - tags: - - add: - - sd-workstation - - sd-buster - - sd-workstation-updates sd-proxy: qvm.vm: diff --git a/dom0/sd-small-template-files.sls b/dom0/sd-small-template-files.sls deleted file mode 100644 index e4714ecf..00000000 --- a/dom0/sd-small-template-files.sls +++ /dev/null @@ -1,22 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -## -# sd-small-template-files -# ======== -# -# Installs packages on small template (used by sd-app, sd-gpg, sd-log, sd-proxy) -# -## -include: - - fpf-apt-test-repo - - sd-logging-setup - -# FPF repo is setup in "securedrop-workstation" template -install-small-template-securedrop-packages: - pkg.installed: - - pkgs: - - securedrop-client - - securedrop-proxy - - require: - - sls: fpf-apt-test-repo diff --git a/dom0/sd-templates.sls b/dom0/sd-templates.sls deleted file mode 100644 index 4013cc8f..00000000 --- a/dom0/sd-templates.sls +++ /dev/null @@ -1,41 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -# -# Installs consolidated templateVMs: -# - sd-small-buster-template, to be used for -# sd-app, sd-log, and sd-proxy -# - sd-large-buster-template, to be used for -# sd-export and sd-viewer -## -include: - - sd-workstation-template - - sd-upgrade-templates - -sd-small-buster-template: - qvm.vm: - - name: sd-small-buster-template - - clone: - - source: securedrop-workstation-buster - - label: red - - tags: - - add: - - sd-workstation - - sd-buster - - sd-workstation-updates - - require: - - sls: sd-workstation-template - - sls: sd-upgrade-templates - -sd-large-buster-template: - qvm.vm: - - name: sd-large-buster-template - - clone: - - source: securedrop-workstation-buster - - label: red - - tags: - - add: - - sd-workstation - - require: - - sls: sd-workstation-template - diff --git a/dom0/sd-viewer-files.sls b/dom0/sd-viewer-files.sls index 3503b7c6..5b5a9bf8 100644 --- a/dom0/sd-viewer-files.sls +++ b/dom0/sd-viewer-files.sls @@ -14,11 +14,10 @@ include: - fpf-apt-test-repo - sd-logging-setup -sd-viewer-install-mimetype-handler-package: +sd-viewer-install-metapackage: pkg.installed: - pkgs: - - securedrop-workstation-svs-disp - - evince + - securedrop-workstation-viewer - require: - sls: fpf-apt-test-repo diff --git a/dom0/sd-viewer.sls b/dom0/sd-viewer.sls index 608dcfde..dc078967 100644 --- a/dom0/sd-viewer.sls +++ b/dom0/sd-viewer.sls @@ -15,28 +15,14 @@ include: - sd-workstation-template - sd-upgrade-templates -sd-viewer-template: - qvm.vm: - - name: sd-viewer-buster-template - - clone: - - source: securedrop-workstation-buster - - label: green - - tags: - - add: - - sd-workstation - - sd-workstation-updates - - require: - - sls: sd-workstation-template - - sls: sd-upgrade-templates - sd-viewer: qvm.vm: - name: sd-viewer - present: - - template: sd-viewer-buster-template + - template: sd-large-buster-template - label: green - prefs: - - template: sd-viewer-buster-template + - template: sd-large-buster-template - netvm: "" - template_for_dispvms: True - tags: @@ -48,7 +34,7 @@ sd-viewer: - enable: - service.paxctld - require: - - qvm: sd-viewer-buster-template + - qvm: sd-large-buster-template sd-viewer-default-dispvm: cmd.run: diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls index 91e35a49..846b51ba 100644 --- a/dom0/sd-workstation-template.sls +++ b/dom0/sd-workstation-template.sls @@ -21,3 +21,36 @@ sd-workstation-template: - service.paxctld - require: - pkg: dom0-install-securedrop-workstation-template + +# Installs consolidated templateVMs: +# - sd-small-buster-template, to be used for +# sd-app, sd-gpg, sd-log, and sd-proxy +# - sd-large-buster-template, to be used for +# sd-export and sd-viewer +sd-small-buster-template: + qvm.vm: + - name: sd-small-buster-template + - clone: + - source: securedrop-workstation-buster + - label: red + - tags: + - add: + - sd-workstation + - sd-buster + - sd-workstation-updates + - require: + - qvm: sd-workstation-template + +sd-large-buster-template: + qvm.vm: + - name: sd-large-buster-template + - clone: + - source: securedrop-workstation-buster + - label: red + - tags: + - add: + - sd-workstation + - sd-buster + - sd-workstation-updates + - require: + - qvm: sd-workstation-template diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index 27bf804f..9b25a818 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -11,7 +11,6 @@ base: - sd-upgrade-templates - sd-dom0-qvm-rpc - sd-sys-whonix-vms - - sd-templates - sd-log - sd-devices - sd-gpg @@ -23,26 +22,20 @@ base: sd-small-buster-template: - sd-logging-setup - - sd-small-template-files + - sd-workstation-template-files + - sd-app-files + - sd-proxy-template-files sd-large-buster-template: - sd-logging-setup - - sd-large-template-files - sd-log-buster-template: - - sd-logging-setup - sd-devices-buster-template: + - sd-workstation-template-files - sd-devices-files + - sd-viewer-files sd-gpg: - sd-gpg-files - sd-logging-setup - sd-proxy-buster-template: - - sd-proxy-template-files sd-app: - sd-app-config - sd-mime-handling - sd-viewer-buster-template: - - sd-viewer-files - sd-app-buster-template: - - sd-app-files sys-firewall: - sd-sys-firewall-files sd-whonix: @@ -59,8 +52,13 @@ base: - sd-logging-setup sd-viewer: - sd-mime-handling + sd-devices: + - sd-mime-handling sd-devices-dvm: - sd-mime-handling + sd-proxy: + - sd-proxy-files + - sd-mime-handling # "Placeholder" config to trigger TemplateVM boots, # so upgrades can be applied automatically via cron. diff --git a/dom0/securedrop-handle-upgrade b/dom0/securedrop-handle-upgrade index 3c3ec8e9..34c8fb95 100755 --- a/dom0/securedrop-handle-upgrade +++ b/dom0/securedrop-handle-upgrade @@ -15,7 +15,7 @@ if [[ $TASK == "prepare" ]]; then # sd-app, we simply shutdown the machine as we want to preserve the data if qvm-check sd-app --quiet; then BASE_TEMPLATE=$(qvm-prefs sd-app template) - if [[ ! $BASE_TEMPLATE =~ "buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then if qvm-check --running sd-app; then qvm-shutdown --wait sd-app fi @@ -30,7 +30,7 @@ if [[ $TASK == "prepare" ]]; then # provisioning process runs again and sets that value to sd-viewer if qvm-check --quiet sd-viewer; then BASE_TEMPLATE=$(qvm-prefs sd-viewer template) - if [[ ! $BASE_TEMPLATE =~ "buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then qubes-prefs default_dispvm '' qvm-shutdown --wait sd-viewer qvm-remove -f sd-viewer @@ -39,7 +39,7 @@ if [[ $TASK == "prepare" ]]; then if qvm-check --quiet sd-devices; then BASE_TEMPLATE=$(qvm-prefs sd-devices-dvm template) - if [[ ! $BASE_TEMPLATE =~ "buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then qvm-shutdown --wait sd-devices qvm-shutdown --wait sd-devices-dvm qvm-remove -f sd-devices @@ -52,7 +52,7 @@ if [[ $TASK == "prepare" ]]; then # shutdown if a client is connected. if qvm-check --quiet sd-proxy; then BASE_TEMPLATE=$(qvm-prefs sd-proxy template) - if [[ ! $BASE_TEMPLATE =~ "buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then qvm-shutdown --wait sd-proxy fi fi @@ -80,17 +80,28 @@ if [[ $TASK == "prepare" ]]; then fi fi - # Finally for sd-gpg, we simply shutdown the machine + # For sd-gpg, we simply shutdown the machine if qvm-check --quiet sd-gpg; then BASE_TEMPLATE=$(qvm-prefs sd-gpg template) - if [[ ! $BASE_TEMPLATE =~ "buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then qvm-shutdown --wait sd-gpg fi fi + + # Shut down sd-log last, since other VMs will autostart it by sending logs + if qvm-check --quiet sd-log; then + BASE_TEMPLATE=$(qvm-prefs sd-log template) + if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then + qvm-shutdown --wait sd-log + fi + fi elif [[ $TASK == "remove" ]]; then # For each template, ensure the TemplateVM exists, that it is shut down # before deleting it. - for template in sd-app-template sd-viewer-template sd-devices-template sd-proxy-template + for template in sd-app-template sd-viewer-template sd-devices-template sd-proxy-template \ + sd-svs-template sd-svs-disp-template sd-export-template sd-proxy-template \ + sd-svs-buster-template sd-export-buster-template sd-svs-disp-buster-template sd-app-buster-template \ + sd-viewer-buster-template sd-proxy-buster-template sd-devices-buster-template sd-log-buster-template do if qvm-check "${template}" --quiet; then if qvm-check --running "${template}"; then diff --git a/sd-proxy/do-not-open-here b/sd-proxy/do-not-open-here deleted file mode 100755 index 982a6ece..00000000 --- a/sd-proxy/do-not-open-here +++ /dev/null @@ -1,14 +0,0 @@ -#!/usr/bin/env python3 - -import sys -from PyQt5 import Qt - - -a = Qt.QApplication(sys.argv) - -nope = Qt.QLabel( - "Please do not use this VM to open any files" " aside from those downloaded from SecureDrop." -) - -nope.show() -a.exec_() diff --git a/sd-proxy/do-not-open.desktop b/sd-proxy/do-not-open.desktop deleted file mode 100644 index 0d5e188d..00000000 --- a/sd-proxy/do-not-open.desktop +++ /dev/null @@ -1,4 +0,0 @@ -[Desktop Entry] -Type=Application -Name=Do Not Open On This VM -Exec=/usr/bin/do-not-open-here diff --git a/sd-proxy/mimeapps.list b/sd-proxy/mimeapps.list new file mode 100644 index 00000000..6146494b --- /dev/null +++ b/sd-proxy/mimeapps.list @@ -0,0 +1,297 @@ +[Default Applications] +application/pgp-encrypted=do-not-open.desktop; +application/zip=do-not-open.desktop; +application/x-dia-diagram=do-not-open.desktop; +text/x-vcard=do-not-open.desktop; +text/directory=do-not-open.desktop; +text/calendar=do-not-open.desktop; +application/x-cd-image=do-not-open.desktop; +application/x-raw-disk-image=do-not-open.desktop; +application/x-raw-disk-image-xz-compressed=do-not-open.desktop; +image/x-compressed-xcf=do-not-open.desktop; +image/x-xcf=do-not-open.desktop; +image/x-psd=do-not-open.desktop; +image/x-fits=do-not-open.desktop; +image/bmp=do-not-open.desktop; +image/gif=do-not-open.desktop; +image/x-icb=do-not-open.desktop; +image/x-ico=do-not-open.desktop; +image/x-pcx=do-not-open.desktop; +image/x-portable-anymap=do-not-open.desktop; +image/x-portable-bitmap=do-not-open.desktop; +image/x-portable-graymap=do-not-open.desktop; +image/x-portable-pixmap=do-not-open.desktop; +image/x-xbitmap=do-not-open.desktop; +image/x-xpixmap=do-not-open.desktop; +image/svg+xml=do-not-open.desktop; +application/vnd.ms-word=do-not-open.desktop; +application/vnd.wordperfect=do-not-open.desktop; +application/vnd.sun.xml.writer=do-not-open.desktop; +application/vnd.sun.xml.writer.global=do-not-open.desktop; +application/vnd.sun.xml.writer.template=do-not-open.desktop; +application/vnd.stardivision.writer=do-not-open.desktop; +application/vnd.oasis.opendocument.text=do-not-open.desktop; +application/vnd.oasis.opendocument.text-template=do-not-open.desktop; +application/vnd.oasis.opendocument.text-web=do-not-open.desktop; +application/vnd.oasis.opendocument.text-master=do-not-open.desktop; +application/vnd.openxmlformats-officedocument.wordprocessingml.document=do-not-open.desktop; +application/vnd.openxmlformats-officedocument.wordprocessingml.template=do-not-open.desktop; +application/vnd.ms-excel=do-not-open.desktop; +application/vnd.stardivision.calc=do-not-open.desktop; +application/vnd.sun.xml.calc=do-not-open.desktop; +application/vnd.sun.xml.calc.template=do-not-open.desktop; +application/vnd.openxmlformats-officedocument.spreadsheetml.sheet=do-not-open.desktop; +application/vnd.openxmlformats-officedocument.spreadsheetml.template=do-not-open.desktop; +application/vnd.oasis.opendocument.spreadsheet=do-not-open.desktop; +application/vnd.oasis.opendocument.spreadsheet-template=do-not-open.desktop; +application/vnd.ms-powerpoint=do-not-open.desktop; +application/vnd.stardivision.impress=do-not-open.desktop; +application/vnd.sun.xml.impress=do-not-open.desktop; +application/vnd.sun.xml.impress.template=do-not-open.desktop; +application/vnd.oasis.opendocument.presentation=do-not-open.desktop; +application/vnd.oasis.opendocument.presentation-template=do-not-open.desktop; +application/vnd.openxmlformats-officedocument.presentationml.presentation=do-not-open.desktop; +application/vnd.openxmlformats-officedocument.presentationml.template=do-not-open.desktop; +application/vnd.stardivision.draw=do-not-open.desktop; +application/vnd.sun.xml.draw=do-not-open.desktop; +application/vnd.sun.xml.draw.template=do-not-open.desktop; +application/vnd.oasis.opendocument.graphics=do-not-open.desktop; +application/vnd.oasis.opendocument.graphics-template=do-not-open.desktop; +application/vnd.oasis.opendocument.formula=do-not-open.desktop; +application/vnd.sun.xml.math=do-not-open.desktop; +application/vnd.stardivision.math=do-not-open.desktop; +application/vnd.oasis.opendocument.database=do-not-open.desktop; +application/vnd.sun.xml.base=do-not-open.desktop; +application/pdf=do-not-open.desktop; +application/postscript=do-not-open.desktop; +application/x-qw=do-not-open.desktop; +application/x-gnucash=do-not-open.desktop; +application/vnd.lotus-1-2-3=do-not-open.desktop; +application/x-oleo=do-not-open.desktop; +application/x-gnumeric=do-not-open.desktop; +application/x-xbase=do-not-open.desktop; +application/x-abiword=do-not-open.desktop; +application/x-dvi=do-not-open.desktop; +application/x-catalog=do-not-open.desktop; +application/x-rpm=do-not-open.desktop; +text/csv=do-not-open.desktop; +text/plain=do-not-open.desktop; +text/html=do-not-open.desktop; +application/xhtml+xml=do-not-open.desktop; +inode/directory=do-not-open.desktop; +x-content/blank-cd=do-not-open.desktop; +x-content/blank-dvd=do-not-open.desktop; +x-content/blank-bd=do-not-open.desktop; +x-content/blank-hddvd=do-not-open.desktop; +x-content/video-dvd=do-not-open.desktop; +x-content/video-vcd=do-not-open.desktop; +x-content/video-svcd=do-not-open.desktop; +#x-content/video-bluray=do-not-open.desktop; +#x-content/video-hddvd=do-not-open.desktop; +x-content/audio-cdda=do-not-open.desktop; +x-content/audio-dvd=do-not-open.desktop; +x-content/audio-player=do-not-open.desktop; +x-content/image-dcf=do-not-open.desktop; +x-content/image-picturecd=do-not-open.desktop; +# URI scheme handlers +x-scheme-handler/mailto=do-not-open.desktop; +x-scheme-handler/http=do-not-open.desktop; +x-scheme-handler/https=do-not-open.desktop; +application/mxf=do-not-open.desktop; +application/ogg=do-not-open.desktop; +application/ram=do-not-open.desktop; +application/sdp=do-not-open.desktop; +application/smil=do-not-open.desktop; +application/smil+xml=do-not-open.desktop; +application/vnd.apple.mpegurl=do-not-open.desktop; +application/vnd.ms-wpl=do-not-open.desktop; +application/vnd.rn-realmedia=do-not-open.desktop; +application/x-extension-m4a=do-not-open.desktop; +application/x-extension-mp4=do-not-open.desktop; +application/x-flac=do-not-open.desktop; +application/x-flash-video=do-not-open.desktop; +application/x-matroska=do-not-open.desktop; +application/x-netshow-channel=do-not-open.desktop; +application/x-ogg=do-not-open.desktop; +application/x-quicktime-media-link=do-not-open.desktop; +application/x-quicktimeplayer=do-not-open.desktop; +application/x-shorten=do-not-open.desktop; +application/x-smil=do-not-open.desktop; +application/xspf+xml=do-not-open.desktop; +audio/3gpp=do-not-open.desktop; +audio/ac3=do-not-open.desktop; +audio/AMR=do-not-open.desktop; +audio/AMR-WB=do-not-open.desktop; +audio/basic=do-not-open.desktop; +audio/midi=do-not-open.desktop; +audio/mp2=do-not-open.desktop; +audio/mp4=do-not-open.desktop; +audio/mpeg=do-not-open.desktop; +audio/mpegurl=do-not-open.desktop; +audio/ogg=do-not-open.desktop; +audio/prs.sid=do-not-open.desktop; +audio/vnd.rn-realaudio=do-not-open.desktop; +audio/x-aiff=do-not-open.desktop; +audio/x-ape=do-not-open.desktop; +audio/x-flac=do-not-open.desktop; +audio/x-gsm=do-not-open.desktop; +audio/x-it=do-not-open.desktop; +audio/x-m4a=do-not-open.desktop; +audio/x-matroska=do-not-open.desktop; +audio/x-mod=do-not-open.desktop; +audio/x-mp3=do-not-open.desktop; +audio/x-mpeg=do-not-open.desktop; +audio/x-mpegurl=do-not-open.desktop; +audio/x-ms-asf=do-not-open.desktop; +audio/x-ms-asx=do-not-open.desktop; +audio/x-ms-wax=do-not-open.desktop; +audio/x-ms-wma=do-not-open.desktop; +audio/x-musepack=do-not-open.desktop; +audio/x-pn-aiff=do-not-open.desktop; +audio/x-pn-au=do-not-open.desktop; +audio/x-pn-realaudio=do-not-open.desktop; +audio/x-pn-realaudio-plugin=do-not-open.desktop; +audio/x-pn-wav=do-not-open.desktop; +audio/x-pn-windows-acm=do-not-open.desktop; +audio/x-realaudio=do-not-open.desktop; +audio/x-real-audio=do-not-open.desktop; +audio/x-s3m=do-not-open.desktop; +audio/x-sbc=do-not-open.desktop; +audio/x-scpls=do-not-open.desktop; +audio/x-speex=do-not-open.desktop; +audio/x-stm=do-not-open.desktop; +audio/x-tta=do-not-open.desktop; +audio/x-wav=do-not-open.desktop; +audio/x-wavpack=do-not-open.desktop; +audio/x-vorbis=do-not-open.desktop; +audio/x-vorbis+ogg=do-not-open.desktop; +audio/x-xm=do-not-open.desktop; +image/vnd.rn-realpix=do-not-open.desktop; +image/x-pict=do-not-open.desktop; +misc/ultravox=do-not-open.desktop; +text/google-video-pointer=do-not-open.desktop; +text/x-google-video-pointer=do-not-open.desktop; +video/3gp=do-not-open.desktop; +video/3gpp=do-not-open.desktop; +video/dv=do-not-open.desktop; +video/divx=do-not-open.desktop; +video/fli=do-not-open.desktop; +video/flv=do-not-open.desktop; +video/mp2t=do-not-open.desktop; +video/mp4=do-not-open.desktop; +video/mp4v-es=do-not-open.desktop; +video/mpeg=do-not-open.desktop; +video/msvideo=do-not-open.desktop; +video/ogg=do-not-open.desktop; +video/quicktime=do-not-open.desktop; +video/vivo=do-not-open.desktop; +video/vnd.divx=do-not-open.desktop; +video/vnd.mpegurl=do-not-open.desktop; +video/vnd.rn-realvideo=do-not-open.desktop; +video/vnd.vivo=do-not-open.desktop; +video/webm=do-not-open.desktop; +video/x-anim=do-not-open.desktop; +video/x-avi=do-not-open.desktop; +video/x-flc=do-not-open.desktop; +video/x-fli=do-not-open.desktop; +video/x-flic=do-not-open.desktop; +video/x-flv=do-not-open.desktop; +video/x-m4v=do-not-open.desktop; +video/x-matroska=do-not-open.desktop; +video/x-mpeg=do-not-open.desktop; +video/x-mpeg2=do-not-open.desktop; +video/x-ms-asf=do-not-open.desktop; +video/x-ms-asx=do-not-open.desktop; +video/x-msvideo=do-not-open.desktop; +video/x-ms-wm=do-not-open.desktop; +video/x-ms-wmv=do-not-open.desktop; +video/x-ms-wmx=do-not-open.desktop; +video/x-ms-wvx=do-not-open.desktop; +video/x-nsv=do-not-open.desktop; +video/x-ogm+ogg=do-not-open.desktop; +video/x-theora+ogg=do-not-open.desktop; +video/x-totem-stream=do-not-open.desktop; +x-content/video-dvd=do-not-open.desktop; +x-content/video-vcd=do-not-open.desktop; +x-content/video-svcd=do-not-open.desktop; +x-scheme-handler/pnm=do-not-open.desktop; +x-scheme-handler/mms=do-not-open.desktop; +x-scheme-handler/net=do-not-open.desktop; +x-scheme-handler/rtp=do-not-open.desktop; +x-scheme-handler/rtmp=do-not-open.desktop; +x-scheme-handler/rtsp=do-not-open.desktop; +x-scheme-handler/mmsh=do-not-open.desktop; +x-scheme-handler/uvox=do-not-open.desktop; +x-scheme-handler/icy=do-not-open.desktop; +x-scheme-handler/icyx=do-not-open.desktop; +application/x-7z-compressed=do-not-open.desktop; +application/x-7z-compressed-tar=do-not-open.desktop; +application/x-ace=do-not-open.desktop; +application/x-alz=do-not-open.desktop; +application/x-ar=do-not-open.desktop; +application/x-arj=do-not-open.desktop; +application/x-bzip=do-not-open.desktop; +application/x-bzip-compressed-tar=do-not-open.desktop; +application/x-bzip1=do-not-open.desktop; +application/x-bzip1-compressed-tar=do-not-open.desktop; +application/x-cabinet=do-not-open.desktop; +application/x-cbr=do-not-open.desktop; +application/x-cbz=do-not-open.desktop; +application/x-compress=do-not-open.desktop; +application/x-compressed-tar=do-not-open.desktop; +application/x-cpio=do-not-open.desktop; +application/x-deb=do-not-open.desktop; +application/x-ear=do-not-open.desktop; +application/x-ms-dos-executable=do-not-open.desktop; +application/x-gtar=do-not-open.desktop; +application/x-gzip=do-not-open.desktop; +application/x-gzpostscript=do-not-open.desktop; +application/x-java-archive=do-not-open.desktop; +application/x-lha=do-not-open.desktop; +application/x-lhz=do-not-open.desktop; +application/x-lrzip=do-not-open.desktop; +application/x-lrzip-compressed-tar=do-not-open.desktop; +application/x-lzip=do-not-open.desktop; +application/x-lzip-compressed-tar=do-not-open.desktop; +application/x-lzma=do-not-open.desktop; +application/x-lzma-compressed-tar=do-not-open.desktop; +application/x-lzop=do-not-open.desktop; +application/x-lzop-compressed-tar=do-not-open.desktop; +application/x-ms-wim=do-not-open.desktop; +application/x-rar=do-not-open.desktop; +application/x-rar-compressed=do-not-open.desktop; +application/x-rzip=do-not-open.desktop; +application/x-tar=do-not-open.desktop; +application/x-tarz=do-not-open.desktop; +application/x-stuffit=do-not-open.desktop; +application/x-war=do-not-open.desktop; +application/x-xz=do-not-open.desktop; +application/x-xz-compressed-tar=do-not-open.desktop; +application/x-zip=do-not-open.desktop; +application/x-zip-compressed=do-not-open.desktop; +application/x-zoo=do-not-open.desktop; +application/x-archive=do-not-open.desktop; +application/vnd.ms-cab-compressed=do-not-open.desktop; +application/x-source-rpm=do-not-open.desktop; +image/bmp=do-not-open.desktop; +image/gif=do-not-open.desktop; +image/jpeg=do-not-open.desktop; +image/jpg=do-not-open.desktop; +image/pjpeg=do-not-open.desktop; +image/png=do-not-open.desktop; +image/tiff=do-not-open.desktop; +image/x-bmp=do-not-open.desktop; +image/x-gray=do-not-open.desktop; +image/x-icb=do-not-open.desktop; +image/x-ico=do-not-open.desktop; +image/x-png=do-not-open.desktop; +image/x-portable-anymap=do-not-open.desktop; +image/x-portable-bitmap=do-not-open.desktop; +image/x-portable-graymap=do-not-open.desktop; +image/x-portable-pixmap=do-not-open.desktop; +image/x-xbitmap=do-not-open.desktop; +image/x-xpixmap=do-not-open.desktop; +image/x-pcx=do-not-open.desktop; +image/svg+xml=do-not-open.desktop; +image/svg+xml-compressed=do-not-open.desktop; +image/vnd.wap.wbmp=do-not-open.desktop; diff --git a/tests/base.py b/tests/base.py index 7c440aff..7fcef9b6 100644 --- a/tests/base.py +++ b/tests/base.py @@ -67,8 +67,14 @@ def _package_is_installed(self, pkg): Confirms that a given package is installed inside the VM. """ # dpkg --verify will exit non-zero for a non-installed pkg, - # and dom0 will percolate that error code - subprocess.check_call(["qvm-run", "-a", "-q", self.vm_name, "dpkg --verify {}".format(pkg)]) + # catch that and return False + try: + subprocess.check_call( + ["qvm-run", "-a", "-q", self.vm_name, "dpkg --verify {}".format(pkg)] + ) + except subprocess.CalledProcessError: + return False + return True def assertFilesMatch(self, remote_path, local_path): diff --git a/tests/test_dom0_config.py b/tests/test_dom0_config.py index 3f10887f..2c596f9c 100644 --- a/tests/test_dom0_config.py +++ b/tests/test_dom0_config.py @@ -10,13 +10,16 @@ "sd-svs-buster-template", "sd-export-buster-template", "sd-svs-disp-buster-template", -] - -VMS_TO_UPDATE = [ "sd-app-buster-template", "sd-viewer-buster-template", "sd-proxy-buster-template", "sd-devices-buster-template", + "sd-log-buster-template", +] + +VMS_TO_UPDATE = [ + "sd-large-buster-template", + "sd-small-buster-template", "whonix-ws-15", "whonix-gw-15", "securedrop-workstation-buster", diff --git a/tests/test_proxy_vm.py b/tests/test_proxy_vm.py index f85a1c21..13b01e56 100644 --- a/tests/test_proxy_vm.py +++ b/tests/test_proxy_vm.py @@ -1,5 +1,6 @@ import unittest import json +import subprocess from base import SD_VM_Local_Test @@ -10,7 +11,11 @@ def setUp(self): super(SD_Proxy_Tests, self).setUp() def test_do_not_open_here(self): - self.assertFilesMatch("/usr/bin/do-not-open-here", "sd-proxy/do-not-open-here") + """ + The do-not-open here script has been removed from sd-proxy. + All VMs now default to using open-in-dvm. + """ + assert not self._fileExists("/usr/bin/do-not-open-here") def test_sd_proxy_package_installed(self): self.assertTrue(self._package_is_installed("securedrop-proxy")) @@ -20,6 +25,9 @@ def test_sd_proxy_yaml_config(self): config = json.load(c) hostname = config["hidserv"]["hostname"] + # Config file moved to private volume during template consolidation + assert not self._fileExists("/etc/sd-proxy.yaml") + wanted_lines = [ "host: {}".format(hostname), "scheme: http", @@ -28,7 +36,25 @@ def test_sd_proxy_yaml_config(self): "dev: False", ] for line in wanted_lines: - self.assertFileHasLine("/etc/sd-proxy.yaml", line) + self.assertFileHasLine("/home/user/.securedrop_proxy/sd-proxy.yaml", line) + + def test_sd_proxy_writable_config_dir(self): + # Directory must be writable by normal user. If owned by root, + # sd-proxy can't write logs, and will fail, blocking client logins. + result = False + try: + self._run("test -w /home/user/.securedrop_proxy") + result = True + except subprocess.CalledProcessError: + pass + self.assertTrue(result) + + def test_sd_proxy_rpc_spec(self): + wanted_lines = [ + "/usr/bin/sd-proxy /home/user/.securedrop_proxy/sd-proxy.yaml", + ] + for line in wanted_lines: + self.assertFileHasLine("/etc/qubes-rpc/securedrop.Proxy", line) def test_whonix_ws_repo_absent(self): """ @@ -43,14 +69,12 @@ def test_logging_configured(self): self.logging_configured() def test_mime_types(self): - with open("sd-proxy/mimeapps.list", "r") as f: - lines = f.readlines() - for line in lines: - if line != "[Default Applications]\n" and not line.startswith("#"): - mime_type = line.split("=")[0] - expected_app = line.split("=")[1].split(";")[0] - actual_app = self._run("xdg-mime query default {}".format(mime_type)) - self.assertEqual(actual_app, expected_app) + cmd = "perl -F= -lane 'print $F[0]' /usr/share/applications/mimeapps.list" + results = self._run(cmd) + for line in results.split("\n"): + if line != "[Default Applications]" and not line.startswith("#"): + actual_app = self._run("xdg-mime query default {}".format(line)) + self.assertEqual(actual_app, "open-in-dvm.desktop") def test_gpg_domain_configured(self): self.qubes_gpg_domain_configured(self.vm_name) diff --git a/tests/test_viewer.py b/tests/test_viewer.py index 8e4e4a23..55309600 100644 --- a/tests/test_viewer.py +++ b/tests/test_viewer.py @@ -9,9 +9,9 @@ def setUp(self): self.vm_name = "sd-viewer" super(SD_Viewer_Tests, self).setUp() - def test_sd_svs_disp_config_package_installed(self): - pkg = "securedrop-workstation-svs-disp" - self.assertTrue(self._package_is_installed(pkg)) + def test_sd_viewer_metapackage_installed(self): + self.assertTrue(self._package_is_installed("securedrop-workstation-viewer")) + self.assertFalse(self._package_is_installed("securedrop-workstation-svs-disp")) def test_sd_viewer_evince_installed(self): pkg = "evince" diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index 4e4f1cc2..070ad06f 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -68,7 +68,7 @@ def test_sd_proxy_config(self): vm = self.app.domains["sd-proxy"] nvm = vm.netvm self.assertTrue(nvm.name == "sd-whonix") - self.assertTrue(vm.template == "sd-proxy-buster-template") + self.assertTrue(vm.template == "sd-small-buster-template") self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -78,7 +78,7 @@ def test_sd_app_config(self): vm = self.app.domains["sd-app"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-app-buster-template") + self.assertTrue(vm.template == "sd-small-buster-template") self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) self._check_kernel(vm) @@ -96,7 +96,7 @@ def test_sd_viewer_config(self): vm = self.app.domains["sd-viewer"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-viewer-buster-template") + self.assertTrue(vm.template == "sd-large-buster-template") self.assertFalse(vm.provides_network) self.assertTrue(vm.template_for_dispvms) self._check_kernel(vm) @@ -108,7 +108,7 @@ def test_sd_gpg_config(self): nvm = vm.netvm self.assertTrue(nvm is None) # No sd-gpg-template, since keyring is managed in $HOME - self.assertTrue(vm.template == "securedrop-workstation-buster") + self.assertTrue(vm.template == "sd-small-buster-template") self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -119,7 +119,7 @@ def test_sd_log_config(self): vm = self.app.domains["sd-log"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-log-buster-template") + self.assertTrue(vm.template == "sd-small-buster-template") self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -146,27 +146,27 @@ def test_sd_workstation_template(self): self._check_service_running(vm, "paxctld") def test_sd_proxy_template(self): - vm = self.app.domains["sd-proxy-buster-template"] + vm = self.app.domains["sd-small-buster-template"] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) def sd_app_template(self): - vm = self.app.domains["sd-app-buster-template"] + vm = self.app.domains["sd-small-buster-template"] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) self._check_kernel(vm) def sd_viewer_template(self): - vm = self.app.domains["sd-viewer-buster-template"] + vm = self.app.domains["sd-large-buster-template"] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) self.assertTrue(vm.template_for_dispvms) def sd_export_template(self): - vm = self.app.domains["sd-devices-buster-template"] + vm = self.app.domains["sd-large-buster-template"] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) @@ -189,8 +189,16 @@ def sd_export(self): self.assertTrue("sd-workstation" in vm.tags) self._check_kernel(vm) - def sd_log_template(self): - vm = self.app.domains["sd-log-buster-template"] + def sd_small_template(self): + vm = self.app.domains["sd-small-buster-template"] + nvm = vm.netvm + self.assertTrue(nvm is None) + self.assertTrue("sd-workstation" in vm.tags) + self.assertFalse(vm.template_for_dispvms) + self._check_kernel(vm) + + def sd_large_template(self): + vm = self.app.domains["sd-large-buster-template"] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) From 8d1b68dcd497c757db9babf2da8b59356c6d9007 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 6 Oct 2020 18:21:44 -0700 Subject: [PATCH 09/18] More reliable dev rpm installation Follow up to [PR]. When running "make clone && make prep-dev" repeatedly in dom0 during development, the dnf cache in dom0 gets out of sync, and gets confused about whether the "securedrop-workstation-dom0-config" package is installed. Running "sudo dnf clean all" purges the cache and keeps things working smoothly. --- scripts/prep-dev | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/prep-dev b/scripts/prep-dev index 34bb458d..5db90647 100755 --- a/scripts/prep-dev +++ b/scripts/prep-dev @@ -22,6 +22,7 @@ fi echo "Deploying Salt config..." echo "Uninstalling any previous RPM versions..." +sudo dnf clean all sudo dnf remove -y securedrop-workstation-dom0-config || true echo "Installing RPM at $latest_rpm ..." sudo dnf install -y "$latest_rpm" From 79212743702210dfea11f354121c4abb49843e75 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 6 Oct 2020 08:49:28 -0700 Subject: [PATCH 10/18] GUI updater: support rerunning all states Adds a "securedrop-check-migration" script that will drop a flag in /tmp/, for the updater's consumption, if the updater should rerun all salt states, rather than just package upgrades. Required for significant changes like template consolidation. --- MANIFEST.in | 1 + dom0/sd-remove-unused-templates.sls | 20 ++++++++++ dom0/sd-upgrade-templates.sls | 9 +++++ dom0/securedrop-check-migration | 32 +++++++++++++++ launcher/sdw_updater_gui/Updater.py | 39 ++++++++++++++++--- launcher/sdw_updater_gui/UpdaterApp.py | 3 ++ launcher/tests/test_updater.py | 24 ++++++------ .../securedrop-workstation-dom0-config.spec | 1 + 8 files changed, 111 insertions(+), 18 deletions(-) create mode 100755 dom0/securedrop-check-migration diff --git a/MANIFEST.in b/MANIFEST.in index 199f0ba2..4bfdbeb6 100644 --- a/MANIFEST.in +++ b/MANIFEST.in @@ -8,6 +8,7 @@ include dom0/sdw-admin include dom0/securedrop-login include dom0/securedrop-launcher.desktop include dom0/securedrop-handle-upgrade +include dom0/securedrop-check-migration include dom0/update-xfce-settings include config.json.example include README.md diff --git a/dom0/sd-remove-unused-templates.sls b/dom0/sd-remove-unused-templates.sls index 226a0fa8..ca519582 100644 --- a/dom0/sd-remove-unused-templates.sls +++ b/dom0/sd-remove-unused-templates.sls @@ -1,7 +1,27 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +# Make sure the "prepare" step has run first, otherwise there's +# a race between migration and removal. +include: + - sd-upgrade-templates + - sd-log + - sd-devices + - sd-gpg + - sd-proxy + - sd-viewer + - sd-app + run-remove-upgrade-scripts: cmd.script: - name: salt://securedrop-handle-upgrade - args: remove + - require: + - sls: sd-upgrade-templates + - sls: sd-log + - sls: sd-devices + - sls: sd-gpg + - sls: sd-proxy + - sls: sd-viewer + - sls: sd-app diff --git a/dom0/sd-upgrade-templates.sls b/dom0/sd-upgrade-templates.sls index 7b3f276b..e399de94 100644 --- a/dom0/sd-upgrade-templates.sls +++ b/dom0/sd-upgrade-templates.sls @@ -1,7 +1,16 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : +# If the entire config must be reapplied, the "check-migration" script +# will drop a flag on disk in dom0 that the GUI updater will find, +# conditionally enabling a longer run. +determine-whether-migration-required: + cmd.script: + - name: salt://securedrop-check-migration + run-prep-upgrade-scripts: cmd.script: - name: salt://securedrop-handle-upgrade - args: prepare + - require: + - cmd: determine-whether-migration-required diff --git a/dom0/securedrop-check-migration b/dom0/securedrop-check-migration new file mode 100755 index 00000000..6a2abffe --- /dev/null +++ b/dom0/securedrop-check-migration @@ -0,0 +1,32 @@ +#!/bin/bash +# Utility script to check whether the entire config should be reapplied +# as part of the GUI updater run, essentially re-running the "install" +# action from sdw-admin. Adds about ~20m to an update, so we'll only +# do it conditionally. + +set -e +set -u +set -o pipefail + + +# Location for empty files to signal to GUI updater that salt states +# should be re-run. +flag_dir="/tmp/sdw-migrations" +function request_migration() { + local reason + reason="$1" + shift 1 + mkdir -p "$flag_dir" + touch "${flag_dir}/${reason}" +} + +# Template consolidation. If old template names are found, +# then we must rerun the full states to re-apply. +if [[ -n "$(qvm-ls --tags sd-workstation --raw-list | perl -nE '/sd-(?!small|large).*-template/ and print $_')" ]] ; then + reason="template-consolidation" + echo "Migration required for ${reason}, will re-run Salt states." + request_migration "$reason" +else + echo "No migration required, skipping full state run against all VMs." + rm -rf "${flag_dir}" +fi diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index a83f682d..8ce34f92 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -22,6 +22,7 @@ FLAG_FILE_LAST_UPDATED_DOM0 = os.path.join(DEFAULT_HOME, "sdw-last-updated") LOCK_FILE = "sdw-launcher.lock" LOG_FILE = "launcher.log" +MIGRATION_DIR = "/tmp/sdw-migrations" sdlog = logging.getLogger(__name__) @@ -31,13 +32,13 @@ current_templates = { "dom0": "dom0", "fedora": "fedora-31", - "sd-viewer": "sd-viewer-buster-template", - "sd-app": "sd-app-buster-template", - "sd-log": "sd-log-buster-template", - "sd-devices": "sd-devices-buster-template", - "sd-proxy": "sd-proxy-buster-template", + "sd-viewer": "sd-large-buster-template", + "sd-app": "sd-small-buster-template", + "sd-log": "sd-small-buster-template", + "sd-devices": "sd-large-buster-template", + "sd-proxy": "sd-small-buster-template", "sd-whonix": "whonix-gw-15", - "sd-gpg": "securedrop-workstation-buster", + "sd-gpg": "sd-small-buster-template", } @@ -45,6 +46,32 @@ def get_dom0_path(folder): return os.path.join(os.path.expanduser("~"), folder) +def run_full_install(force=False): + """ + Re-apply the entire Salt config via sdw-admin. Required to enforce + VM state during major migrations, such as template consolidation. + """ + if force or migration_is_required(): + sdlog.info("Running sdw-admin apply") + cmd = ["sdw-admin", "--apply"] + subprocess.check_call(cmd) + + # Clean up flag requesting migration. Shell out since root created it. + subprocess.check_call(["sudo", "rm", "-rf", MIGRATION_DIR]) + + +def migration_is_required(): + """ + Check whether a full run of the Salt config via sdw-admin is required. + """ + result = False + if os.path.exists(MIGRATION_DIR): + if len(os.listdir(MIGRATION_DIR)) > 0: + sdlog.info("Migration is required, will enforce full config during update") + result = True + return result + + def apply_updates(vms=current_templates.keys()): """ Apply updates to all TemplateVMs diff --git a/launcher/sdw_updater_gui/UpdaterApp.py b/launcher/sdw_updater_gui/UpdaterApp.py index c0348e0c..ed9c735f 100644 --- a/launcher/sdw_updater_gui/UpdaterApp.py +++ b/launcher/sdw_updater_gui/UpdaterApp.py @@ -183,6 +183,9 @@ def run(self): result = Updater.apply_dom0_state() # add to results dict, if it fails it will show error message results["apply_dom0"] = result.value + # rerun full config if dom0 checks determined it's required + if Updater.migration_is_required(): + Updater.run_full_install() # reboot vms Updater.shutdown_and_start_vms() diff --git a/launcher/tests/test_updater.py b/launcher/tests/test_updater.py index 603db767..6f0bc22c 100644 --- a/launcher/tests/test_updater.py +++ b/launcher/tests/test_updater.py @@ -508,13 +508,13 @@ def test_shutdown_and_start_vms( ] template_vm_calls = [ call("fedora-31"), - call("sd-viewer-buster-template"), - call("sd-app-buster-template"), - call("sd-log-buster-template"), - call("sd-devices-buster-template"), - call("sd-proxy-buster-template"), + call("sd-large-buster-template"), + call("sd-small-buster-template"), + call("sd-small-buster-template"), + call("sd-large-buster-template"), + call("sd-small-buster-template"), call("whonix-gw-15"), - call("securedrop-workstation-buster"), + call("sd-small-buster-template"), ] app_vm_calls = [ call("sd-app"), @@ -560,13 +560,13 @@ def test_shutdown_and_start_vms_sysvm_fail( ] template_vm_calls = [ call("fedora-31"), - call("sd-viewer-buster-template"), - call("sd-app-buster-template"), - call("sd-log-buster-template"), - call("sd-devices-buster-template"), - call("sd-proxy-buster-template"), + call("sd-large-buster-template"), + call("sd-small-buster-template"), + call("sd-small-buster-template"), + call("sd-large-buster-template"), + call("sd-small-buster-template"), call("whonix-gw-15"), - call("securedrop-workstation-buster"), + call("sd-small-buster-template"), ] error_calls = [ call("Error while killing system VM: sys-firewall"), diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index e06fc1d4..4e4519e8 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -62,6 +62,7 @@ install -m 644 dom0/*.conf %{buildroot}/srv/salt/ install -m 755 dom0/remove-tags %{buildroot}/srv/salt/ install -m 644 dom0/securedrop-login %{buildroot}/srv/salt/ install -m 644 dom0/securedrop-launcher.desktop %{buildroot}/srv/salt/ +install -m 755 dom0/securedrop-check-migration %{buildroot}/srv/salt/ install -m 755 dom0/securedrop-handle-upgrade %{buildroot}/srv/salt/ install -m 755 dom0/update-xfce-settings %{buildroot}/srv/salt/ install -m 755 scripts/sdw-admin.py %{buildroot}/%{_bindir}/sdw-admin From c8cd4d95b8572a218e879221a71d67b8c2bc57a9 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 19 Oct 2020 09:36:14 -0700 Subject: [PATCH 11/18] Skips bandit check on dom0 updater tmpfile As explained in the comment, we accept the risk of a hardcoded tempfile in dom0, because it's a single-user system, isolated from the other VM components. At a later date, we'll likely port the check-migration logic to pure python, but unfortunately 'import qubesadmin' would break the mocked CI tests for the launcher and updater. --- launcher/sdw_updater_gui/Updater.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index 8ce34f92..0ad87f63 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -22,7 +22,13 @@ FLAG_FILE_LAST_UPDATED_DOM0 = os.path.join(DEFAULT_HOME, "sdw-last-updated") LOCK_FILE = "sdw-launcher.lock" LOG_FILE = "launcher.log" -MIGRATION_DIR = "/tmp/sdw-migrations" + + +# We use a hardcoded temporary directory path in dom0. As dom0 is not +# a multi-user environment, we can safely assume that only the Updater is +# managing that filepath. Later on, we should consider porting the check-migration +# logic to leverage the Qubes Python API. +MIGRATION_DIR = "/tmp/sdw-migrations" # nosec sdlog = logging.getLogger(__name__) From b00a0ca229f9c9507a46850d770ae2ad66c82b83 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 19 Oct 2020 09:48:54 -0700 Subject: [PATCH 12/18] Updates sd-app gpg config tests Follow-up to [0]. Post-consolidation, we can expect the /etc/profile.d/ path to be present on all systems, but only on sd-app should it return "sd-gpg" rather than an empty string. [0] https://github.com/freedomofpress/securedrop-workstation/pull/623 --- tests/base.py | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/tests/base.py b/tests/base.py index 7fcef9b6..4a732403 100644 --- a/tests/base.py +++ b/tests/base.py @@ -139,19 +139,12 @@ def qubes_gpg_domain_configured(self, vmname=False): sd-app should have it set to sd-gpg. All other AppVMs should not have this configured. """ - expected_profile_app = 'if [ "$(qubesdb-read /name)" = "sd-app" ]; then export QUBES_GPG_DOMAIN="sd-gpg"; fi\n' # noqa: E501 - expected_env_app = "sd-gpg" - expected_env_all = "" - profile_path = "/etc/profile.d/sd-app-qubes-gpg-domain.sh" - env_cmd = 'echo "$QUBES_GPG_DOMAIN"' env_contents = self._run(env_cmd) if vmname == "sd-app": - self.assertTrue(self._fileExists(profile_path)) - profile_contents = self._get_file_contents(profile_path) - self.assertEqual(profile_contents, expected_profile_app) - self.assertEqual(env_contents, expected_env_app) + expected_env = "sd-gpg" else: - self.assertFalse(self._fileExists(profile_path)) - self.assertEqual(env_contents, expected_env_all) + expected_env = "" + + self.assertEqual(env_contents, expected_env) From 6f45c6ca88c1325dedf3923259f128976c0077f5 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Mon, 19 Oct 2020 15:59:01 -0700 Subject: [PATCH 13/18] Adjusts GUI updater run order Ensuring that we're able to ship unattended migrations in the future. It's important that *first* we update the dom0 RPM, if required, then re-apply the dom0 state. After that, we'll check whether a migration is requested (that's the clincher), then either run a full-state apply or upgrade packages within each TemplateVM, depending on the check. Tinkered with the progress bars accordingly. It's not ideal, since the full-state run blocks the progress bar. --- launcher/sdw_updater_gui/Updater.py | 21 ++++++++++++--------- launcher/sdw_updater_gui/UpdaterApp.py | 26 ++++++++++++++++++++------ launcher/tests/test_updater.py | 2 +- 3 files changed, 33 insertions(+), 16 deletions(-) diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index 0ad87f63..1e645e33 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -36,7 +36,6 @@ # as well as their associated TemplateVMs. # In the future, we could use qvm-prefs to extract this information. current_templates = { - "dom0": "dom0", "fedora": "fedora-31", "sd-viewer": "sd-large-buster-template", "sd-app": "sd-small-buster-template", @@ -52,18 +51,17 @@ def get_dom0_path(folder): return os.path.join(os.path.expanduser("~"), folder) -def run_full_install(force=False): +def run_full_install(): """ Re-apply the entire Salt config via sdw-admin. Required to enforce VM state during major migrations, such as template consolidation. """ - if force or migration_is_required(): - sdlog.info("Running sdw-admin apply") - cmd = ["sdw-admin", "--apply"] - subprocess.check_call(cmd) + sdlog.info("Running sdw-admin apply") + cmd = ["sdw-admin", "--apply"] + subprocess.check_call(cmd) - # Clean up flag requesting migration. Shell out since root created it. - subprocess.check_call(["sudo", "rm", "-rf", MIGRATION_DIR]) + # Clean up flag requesting migration. Shell out since root created it. + subprocess.check_call(["sudo", "rm", "-rf", MIGRATION_DIR]) def migration_is_required(): @@ -82,6 +80,9 @@ def apply_updates(vms=current_templates.keys()): """ Apply updates to all TemplateVMs """ + # The updater thread sets 15% progress before the per-VM + # updates start, we'll base progress on that. + progress_start = 15 sdlog.info("Applying all updates") for progress_current, vm in enumerate(vms): @@ -96,7 +97,9 @@ def apply_updates(vms=current_templates.keys()): else: upgrade_results = _apply_updates_vm(vm) - progress_percentage = int(((progress_current + 1) / len(vms)) * 100 - 5) + progress_percentage = int(progress_start + ((progress_current + 1) / len(vms)) * 100 - 25) + if progress_percentage < progress_start: + progress_percentage = progress_start yield vm, progress_percentage, upgrade_results diff --git a/launcher/sdw_updater_gui/UpdaterApp.py b/launcher/sdw_updater_gui/UpdaterApp.py index ed9c735f..b84cd941 100644 --- a/launcher/sdw_updater_gui/UpdaterApp.py +++ b/launcher/sdw_updater_gui/UpdaterApp.py @@ -172,20 +172,34 @@ def __init__(self): QThread.__init__(self) def run(self): - upgrade_generator = Updater.apply_updates() - results = {} - for vm, progress, result in upgrade_generator: - results[vm] = result - self.progress_signal.emit(progress) + # Update dom0 first, then apply dom0 state. If full state run + # is required, the dom0 state will drop a flag. + self.progress_signal.emit(5) + upgrade_generator = Updater.apply_updates(["dom0"]) + results = {} # apply dom0 state + self.progress_signal.emit(10) result = Updater.apply_dom0_state() # add to results dict, if it fails it will show error message results["apply_dom0"] = result.value - # rerun full config if dom0 checks determined it's required + + self.progress_signal.emit(15) + # rerun full config if dom0 checks determined it's required, + # otherwise proceed with per-VM package updates if Updater.migration_is_required(): + # Progress bar will freeze for ~15m during full state run + self.progress_signal.emit(35) Updater.run_full_install() + self.progress_signal.emit(75) + else: + upgrade_generator = Updater.apply_updates() + results = {} + for vm, progress, result in upgrade_generator: + results[vm] = result + self.progress_signal.emit(progress) + # reboot vms Updater.shutdown_and_start_vms() diff --git a/launcher/tests/test_updater.py b/launcher/tests/test_updater.py index 6f0bc22c..b3d4b182 100644 --- a/launcher/tests/test_updater.py +++ b/launcher/tests/test_updater.py @@ -56,7 +56,7 @@ def test_updater_vms_present(): - assert len(updater.current_templates) == 9 + assert len(updater.current_templates) == 8 @mock.patch("Updater._write_updates_status_flag_to_disk") From 43a3fc8389742323c8be539edc2877eff5e74198 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Thu, 22 Oct 2020 11:05:21 -0400 Subject: [PATCH 14/18] updated launcher to update each templateVM only once per run --- launcher/sdw_updater_gui/Updater.py | 33 ++++++++-------------- launcher/tests/test_updater.py | 43 ++++++++++------------------- 2 files changed, 25 insertions(+), 51 deletions(-) diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index 1e645e33..6dfa65e4 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -35,7 +35,7 @@ # The are the TemplateVMs that require full patch level at boot in order to start the client, # as well as their associated TemplateVMs. # In the future, we could use qvm-prefs to extract this information. -current_templates = { +current_vms = { "fedora": "fedora-31", "sd-viewer": "sd-large-buster-template", "sd-app": "sd-small-buster-template", @@ -46,6 +46,8 @@ "sd-gpg": "sd-small-buster-template", } +current_templates = set([val for key, val in current_vms.items() if key != "dom0"]) + def get_dom0_path(folder): return os.path.join(os.path.expanduser("~"), folder) @@ -76,7 +78,7 @@ def migration_is_required(): return result -def apply_updates(vms=current_templates.keys()): +def apply_updates(vms=current_templates): """ Apply updates to all TemplateVMs """ @@ -85,7 +87,7 @@ def apply_updates(vms=current_templates.keys()): progress_start = 15 sdlog.info("Applying all updates") - for progress_current, vm in enumerate(vms): + for progress_current, vm in enumerate(vms, 1): upgrade_results = UpdateStatus.UPDATES_FAILED if vm == "dom0": @@ -97,7 +99,7 @@ def apply_updates(vms=current_templates.keys()): else: upgrade_results = _apply_updates_vm(vm) - progress_percentage = int(progress_start + ((progress_current + 1) / len(vms)) * 100 - 25) + progress_percentage = int(progress_start + ((progress_current) / len(vms)) * 100 - 25) if progress_percentage < progress_start: progress_percentage = progress_start yield vm, progress_percentage, upgrade_results @@ -145,28 +147,18 @@ def _apply_updates_vm(vm): Apply updates to a given TemplateVM. Any update to the base fedora template will require a reboot after the upgrade. """ - sdlog.info("Updating {}:{}".format(vm, current_templates[vm])) + sdlog.info("Updating {}".format(vm)) try: subprocess.check_call( - [ - "sudo", - "qubesctl", - "--skip-dom0", - "--targets", - current_templates[vm], - "state.sls", - "update.qubes-vm", - ] + ["sudo", "qubesctl", "--skip-dom0", "--targets", vm, "state.sls", "update.qubes-vm"] ) except subprocess.CalledProcessError as e: sdlog.error( - "An error has occurred updating {}. Please contact your administrator.".format( - current_templates[vm] - ) + "An error has occurred updating {}. Please contact your administrator.".format(vm) ) sdlog.error(str(e)) return UpdateStatus.UPDATES_FAILED - sdlog.info("{} update successful".format(current_templates[vm])) + sdlog.info("{} update successful".format(vm)) return UpdateStatus.UPDATES_OK @@ -374,11 +366,8 @@ def shutdown_and_start_vms(): "sd-log", ] - # All TemplateVMs minus dom0 - sdw_templates = [val for key, val in current_templates.items() if key != "dom0"] - sdlog.info("Shutting down SDW TemplateVMs for updates") - for vm in sdw_templates: + for vm in sorted(current_templates): _safely_shutdown_vm(vm) sdlog.info("Shutting down SDW AppVMs for updates") diff --git a/launcher/tests/test_updater.py b/launcher/tests/test_updater.py index b3d4b182..a73da940 100644 --- a/launcher/tests/test_updater.py +++ b/launcher/tests/test_updater.py @@ -13,6 +13,7 @@ updater = SourceFileLoader("Updater", path_to_script).load_module() from Updater import UpdateStatus # noqa: E402 from Updater import current_templates # noqa: E402 +from Updater import current_vms # noqa: E402 temp_dir = TemporaryDirectory().name @@ -56,7 +57,11 @@ def test_updater_vms_present(): - assert len(updater.current_templates) == 8 + assert len(updater.current_vms) == 8 + + +def test_updater_templatevms_present(): + assert len(updater.current_templates) == 4 @mock.patch("Updater._write_updates_status_flag_to_disk") @@ -303,7 +308,7 @@ def test_apply_updates_dom0_failure(mocked_info, mocked_error, mocked_call): mocked_error.assert_has_calls(error_log) -@pytest.mark.parametrize("vm", current_templates.keys()) +@pytest.mark.parametrize("vm", current_templates) @mock.patch("subprocess.check_call", side_effect="0") @mock.patch("Updater.sdlog.error") @mock.patch("Updater.sdlog.info") @@ -313,30 +318,18 @@ def test_apply_updates_vms(mocked_info, mocked_error, mocked_call, vm): assert result == UpdateStatus.UPDATES_OK mocked_call.assert_called_once_with( - [ - "sudo", - "qubesctl", - "--skip-dom0", - "--targets", - current_templates[vm], - "state.sls", - "update.qubes-vm", - ] + ["sudo", "qubesctl", "--skip-dom0", "--targets", vm, "state.sls", "update.qubes-vm"] ) assert not mocked_error.called -@pytest.mark.parametrize("vm", current_templates.keys()) +@pytest.mark.parametrize("vm", current_templates) @mock.patch("subprocess.check_call", side_effect=subprocess.CalledProcessError(1, "check_call")) @mock.patch("Updater.sdlog.error") @mock.patch("Updater.sdlog.info") def test_apply_updates_vms_fails(mocked_info, mocked_error, mocked_call, vm): error_calls = [ - call( - "An error has occurred updating {}. Please contact your administrator.".format( - current_templates[vm] - ) - ), + call("An error has occurred updating {}. Please contact your administrator.".format(vm)), call("Command 'check_call' returned non-zero exit status 1."), ] result = updater._apply_updates_vm(vm) @@ -423,7 +416,7 @@ def test_overall_update_status_reboot_not_done_previously( assert not mocked_error.called -@pytest.mark.parametrize("vm", current_templates.keys()) +@pytest.mark.parametrize("vm", current_vms.keys()) @mock.patch("subprocess.check_output") @mock.patch("Updater.sdlog.error") @mock.patch("Updater.sdlog.info") @@ -435,7 +428,7 @@ def test_safely_shutdown(mocked_info, mocked_error, mocked_output, vm): assert not mocked_error.called -@pytest.mark.parametrize("vm", current_templates.keys()) +@pytest.mark.parametrize("vm", current_vms.keys()) @mock.patch( "subprocess.check_output", side_effect=["0", "0", "0"], ) @@ -452,7 +445,7 @@ def test_safely_start(mocked_info, mocked_error, mocked_output, vm): assert not mocked_error.called -@pytest.mark.parametrize("vm", current_templates.keys()) +@pytest.mark.parametrize("vm", current_vms.keys()) @mock.patch( "subprocess.check_output", side_effect=subprocess.CalledProcessError(1, "check_output"), ) @@ -468,7 +461,7 @@ def test_safely_start_fails(mocked_info, mocked_error, mocked_output, vm): mocked_error.assert_has_calls(call_list) -@pytest.mark.parametrize("vm", current_templates.keys()) +@pytest.mark.parametrize("vm", current_vms.keys()) @mock.patch( "subprocess.check_output", side_effect=subprocess.CalledProcessError(1, "check_output"), ) @@ -510,11 +503,7 @@ def test_shutdown_and_start_vms( call("fedora-31"), call("sd-large-buster-template"), call("sd-small-buster-template"), - call("sd-small-buster-template"), - call("sd-large-buster-template"), - call("sd-small-buster-template"), call("whonix-gw-15"), - call("sd-small-buster-template"), ] app_vm_calls = [ call("sd-app"), @@ -562,11 +551,7 @@ def test_shutdown_and_start_vms_sysvm_fail( call("fedora-31"), call("sd-large-buster-template"), call("sd-small-buster-template"), - call("sd-small-buster-template"), - call("sd-large-buster-template"), - call("sd-small-buster-template"), call("whonix-gw-15"), - call("sd-small-buster-template"), ] error_calls = [ call("Error while killing system VM: sys-firewall"), From 40caff515fb3561d3f88c3efb1cf682d46116211 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Wed, 21 Oct 2020 22:54:20 -0400 Subject: [PATCH 15/18] Added qa switcher script for consolidation testing Squashes a few related commits for the qa-switcher logic, including the final change prior to merge that moved the files to a separate location so they wouldn't be included in the rc RPMs. --- utils/qa-switch.sh | 29 +++++++++++++++++++++ utils/qa-switch/buster.sls | 10 ++++++++ utils/qa-switch/dom0.sls | 44 ++++++++++++++++++++++++++++++++ utils/qa-switch/sd-qa-config.yml | 13 ++++++++++ utils/qa-switch/top.sls | 33 ++++++++++++++++++++++++ 5 files changed, 129 insertions(+) create mode 100644 utils/qa-switch.sh create mode 100644 utils/qa-switch/buster.sls create mode 100644 utils/qa-switch/dom0.sls create mode 100644 utils/qa-switch/sd-qa-config.yml create mode 100644 utils/qa-switch/top.sls diff --git a/utils/qa-switch.sh b/utils/qa-switch.sh new file mode 100644 index 00000000..e73f519f --- /dev/null +++ b/utils/qa-switch.sh @@ -0,0 +1,29 @@ +#!/usr/bin/bash + +# +# Updates securedrop templates and dom0 to use QA repos and +# template-consolidation component. +# +# + +if [[ $(id -u) -ne 0 ]] ; then echo "Please run as root" ; exit 1 ; fi + +cp -R `dirname "$0"`/qa-switch/ /srv/salt/ + +cd /srv/salt +echo Updating dom0... +qubesctl --show-output --targets dom0 state.apply qa-switch.dom0 + +export template_list="sd-app-buster-template sd-devices-buster-template sd-log-buster-template sd-proxy-buster-template sd-viewer-buster-template securedrop-workstation-buster whonix-gw-15" + +echo Updating Debian-based templates: +for t in $template_list; do echo Updating $t...; qubesctl --show-output --skip-dom0 --targets $t state.apply switch.buster; done + +echo Replacing prod config YAML... + +if [ ! -f "/srv/salt/qa-switcher/sd-default-config.yml.orig" ]; then + cp sd-default-config.yml qa-switch/sd-default-config.yml.orig +fi +cp qa-switch/sd-qa-config.yml sd-default-config.yml + +echo "Done! (Run this script after 'sudo qubes-dom0-update -y' to reapply") diff --git a/utils/qa-switch/buster.sls b/utils/qa-switch/buster.sls new file mode 100644 index 00000000..aa6b66ee --- /dev/null +++ b/utils/qa-switch/buster.sls @@ -0,0 +1,10 @@ +remove-prod-apt-repo: + pkgrepo.absent: + - name: "deb [arch=amd64] https://apt.freedom.press buster main" + +add-test-apt-repo: + pkgrepo.managed: + - name: "deb [arch=amd64] https://apt-test.freedom.press buster template-consolidation" + - file: /etc/apt/sources.list.d/securedrop_workstation.list + - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" + - clean_file: True diff --git a/utils/qa-switch/dom0.sls b/utils/qa-switch/dom0.sls new file mode 100644 index 00000000..250115be --- /dev/null +++ b/utils/qa-switch/dom0.sls @@ -0,0 +1,44 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +## +# Installs dom0 config scripts specific to tracking updates +# over time. These scripts should be ported to an RPM package. +## + +dom0-rpm-test-key: + file.managed: + # We write the pubkey to the repos config location, because the repos + # config location is automatically sent to dom0's UpdateVM. Otherwise, + # we must place the GPG key inside the fedora-31 TemplateVM, then + # restart sys-firewall. + - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation + - source: "salt://sd/sd-workstation/apt-test-pubkey.asc" + - user: root + - group: root + - mode: 644 + +dom0-rpm-test-key-import: + cmd.run: + - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation + - require: + - file: dom0-rpm-test-key + +dom0-workstation-rpm-repo: + # We use file.managed rather than pkgrepo.managed, because Qubes dom0 + # settings write new repos to /etc/yum.real.repos.d/, but only /etc/yum.repos.d/ + # is copied to the UpdateVM for fetching dom0 packages. + file.managed: + - name: /etc/yum.repos.d/securedrop-workstation-dom0.repo + - user: root + - group: root + - mode: 644 + - contents: | + [securedrop-workstation-dom0] + gpgcheck=1 + gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation + enabled=1 + baseurl=https://yum-test.securedrop.org/workstation/dom0/f25 + name=SecureDrop Workstation Qubes dom0 repo + - require: + - file: dom0-rpm-test-key diff --git a/utils/qa-switch/sd-qa-config.yml b/utils/qa-switch/sd-qa-config.yml new file mode 100644 index 00000000..a623e65d --- /dev/null +++ b/utils/qa-switch/sd-qa-config.yml @@ -0,0 +1,13 @@ +--- +# Production variables, for use with real-world installs +prod: + dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" + apt_repo_url: "https://apt-test.freedom.press" + signing_key_filename: "apt-test-pubkey.asc" + apt_repo_component: template-consolidation +# Development variables, suited for use during local development +dev: + dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" + apt_repo_url: "https://apt-test.freedom.press" + signing_key_filename: "apt-test-pubkey.asc" + apt_repo_component: template-consolidation diff --git a/utils/qa-switch/top.sls b/utils/qa-switch/top.sls new file mode 100644 index 00000000..249ebb43 --- /dev/null +++ b/utils/qa-switch/top.sls @@ -0,0 +1,33 @@ +# -*- coding: utf-8 -*- +# vim: set syntax=yaml ts=2 sw=2 sts=2 et : + +base: + dom0: + - sd-dom0-switch + + sd-log-buster-template: + - sd-buster-switch + sd-devices-buster-template: + - sd-buster-switch + sd-gpg: + - sd-buster-switch + sd-proxy-buster-template: + - sd-buster-switch + sd-app: + - sd-buster-switch + sd-viewer-buster-template: + - sd-buster-switch + sd-app-buster-template: + - sd-buster-switch + sys-firewall: + - sd-buster-switch + sd-whonix: + - sd-buster-switch + securedrop-workstation-buster: + - sd-buster-switch + sys-usb: + - sd-buster-switch + whonix-gw-15: + - sd-buster-switch + sd-log: + - sd-buster-switch From c6262ff9b014cba1391b8befbc367c39ffc0d939 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Thu, 22 Oct 2020 16:06:33 -0700 Subject: [PATCH 16/18] Bumps RPM version 0.4.0 -> 0.5.0-rc1 We'll be posting the rc1 package to yum-test to aid in QA. Not using a tag, as described in docs [0], since we're postponing merge of feature branch [1] until QA is finished, given the scope of changes. [0] https://github.com/freedomofpress/securedrop-workstation/wiki/Building-securedrop-workstation-dom0-config-RPM-package [1] https://github.com/freedomofpress/securedrop-workstation/pull/619 --- VERSION | 2 +- rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/VERSION b/VERSION index 1d0ba9ea..04c1660d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.4.0 +0.5.0-rc1 diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 4e4519e8..3ecc9e15 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -1,12 +1,12 @@ Name: securedrop-workstation-dom0-config -Version: 0.4.0 -Release: 1%{?dist} +Version: 0.5.0 +Release: 0.rc1.1%{?dist} Summary: SecureDrop Workstation Group: Library License: GPLv3+ URL: https://github.com/freedomofpress/securedrop-workstation -Source0: securedrop-workstation-dom0-config-0.4.0.tar.gz +Source0: securedrop-workstation-dom0-config-0.5.0rc1.tar.gz BuildArch: noarch BuildRequires: python3-setuptools @@ -28,7 +28,7 @@ configuration over time. %undefine py_auto_byte_compile %prep -%setup -n securedrop-workstation-dom0-config-0.4.0 +%setup -n securedrop-workstation-dom0-config-0.5.0rc1 %build %{__python3} setup.py build From fc35345d6787aed8676a1bd2ec44288a7a42dc9a Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 27 Oct 2020 12:44:24 -0700 Subject: [PATCH 17/18] Updates changelog for RPM Including a "0.5.0" message as a start, even though we're only on rc1. --- rpm-build/SPECS/securedrop-workstation-dom0-config.spec | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec index 3ecc9e15..db0718fa 100644 --- a/rpm-build/SPECS/securedrop-workstation-dom0-config.spec +++ b/rpm-build/SPECS/securedrop-workstation-dom0-config.spec @@ -107,6 +107,10 @@ find /srv/salt -maxdepth 1 -type f -iname '*.top' \ | xargs qubesctl top.enable > /dev/null %changelog +* Tue Oct 27 2020 SecureDrop Team - 0.5.0 +- Consolidates templates into small and large +- Modifies updater UI to rerun full state if required + * Tue Jul 07 2020 SecureDrop Team - 0.4.0 - Consolidates updates from two stages into one - Makes the updater UI more compact From c40aa38d4937a53ba3c837a655cea350a38a779b Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 27 Oct 2020 15:40:03 -0700 Subject: [PATCH 18/18] Removes template-consolidation from qa-switch As part of review, we've moved candidate packages from the "template-consolidation" channel on apt-test to "main" on apt-test. Therefore the qa-switch tool must be updated accordingly. --- utils/qa-switch/buster.sls | 2 +- utils/qa-switch/sd-qa-config.yml | 2 -- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/utils/qa-switch/buster.sls b/utils/qa-switch/buster.sls index aa6b66ee..0b519004 100644 --- a/utils/qa-switch/buster.sls +++ b/utils/qa-switch/buster.sls @@ -4,7 +4,7 @@ remove-prod-apt-repo: add-test-apt-repo: pkgrepo.managed: - - name: "deb [arch=amd64] https://apt-test.freedom.press buster template-consolidation" + - name: "deb [arch=amd64] https://apt-test.freedom.press buster main" - file: /etc/apt/sources.list.d/securedrop_workstation.list - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" - clean_file: True diff --git a/utils/qa-switch/sd-qa-config.yml b/utils/qa-switch/sd-qa-config.yml index a623e65d..4afde585 100644 --- a/utils/qa-switch/sd-qa-config.yml +++ b/utils/qa-switch/sd-qa-config.yml @@ -4,10 +4,8 @@ prod: dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" apt_repo_url: "https://apt-test.freedom.press" signing_key_filename: "apt-test-pubkey.asc" - apt_repo_component: template-consolidation # Development variables, suited for use during local development dev: dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" apt_repo_url: "https://apt-test.freedom.press" signing_key_filename: "apt-test-pubkey.asc" - apt_repo_component: template-consolidation