From 10bf8a55869b4a28353a631c9190ec32c31ca827 Mon Sep 17 00:00:00 2001
From: Kushal Das <kushal@freedom.press>
Date: Thu, 18 Feb 2021 16:31:08 +0530
Subject: [PATCH 1/3] Adds dependency to docker python module

docker-py and docker both can not be installed on the same
virtualenv.

https://github.com/docker/docker-py/issues/1916#issuecomment-406639876
---
 .../requirements/python3/develop-requirements.in |  2 +-
 .../python3/develop-requirements.txt             | 16 ++++++----------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/securedrop/requirements/python3/develop-requirements.in b/securedrop/requirements/python3/develop-requirements.in
index f5d7c9bafa7..6131db61e74 100644
--- a/securedrop/requirements/python3/develop-requirements.in
+++ b/securedrop/requirements/python3/develop-requirements.in
@@ -6,7 +6,7 @@ bandit
 boto
 boto3
 cffi>=1.14.2
-docker-py
+docker
 # Needed for dig ansible lookup
 dnspython
 flake8
diff --git a/securedrop/requirements/python3/develop-requirements.txt b/securedrop/requirements/python3/develop-requirements.txt
index 680de7ac530..35750fe6ce4 100644
--- a/securedrop/requirements/python3/develop-requirements.txt
+++ b/securedrop/requirements/python3/develop-requirements.txt
@@ -202,14 +202,10 @@ dnspython==1.15.0 \
     --hash=sha256:40f563e1f7a7b80dc5a4e76ad75c23da53d62f1e15e6e517293b04e1f84ead7c \
     --hash=sha256:861e6e58faa730f9845aaaa9c6c832851fbf89382ac52915a51f89c71accdd31 \
     # via -r requirements/python3/develop-requirements.in
-docker-py==1.10.6 \
-    --hash=sha256:35b506e95861914fa5ad57a6707e3217b4082843b883be246190f57013948aba \
-    --hash=sha256:4c2a75875764d38d67f87bc7d03f7443a3895704efc57962bdf6500b8d4bc415 \
+docker==4.4.2 \
+    --hash=sha256:20d71afc593486f2297bb7fb7406b03876f31894337e914a5062050c65085cab \
+    --hash=sha256:67f33d4cf95182db631a17eef7d666d2c91f624c1d3fbc4df6009cb2f2a4c604 \
     # via -r requirements/python3/develop-requirements.in
-docker-pycreds==0.2.1 \
-    --hash=sha256:58d2688f92de5d6f1a6ac4fe25da461232f0e0a4c1212b93b256b046b2d714a9 \
-    --hash=sha256:93833a2cf280b7d8abbe1b8121530413250c6cd4ffed2c1cf085f335262f7348 \
-    # via docker-py
 docopt==0.6.2 \
     --hash=sha256:49b3a825280bd66b3aa83585ef59c4a8c82f2c8a522dbe754a8bc8d08c85c491 \
     # via html-linter, template-remover
@@ -557,7 +553,7 @@ pyyaml==5.3.1 \
 requests==2.22.0 \
     --hash=sha256:11e007a8a2aa0323f5a921e9e6a2d7e4e67d9877e85773fba9ba6419025cbeb4 \
     --hash=sha256:9cf5292fcd0f598c671cfc1e0d7d1a7f13bb8085e9a590f48c010551dc6c4b31 \
-    # via cookiecutter, docker-py, safety
+    # via cookiecutter, docker, safety
 ruamel.yaml.clib==0.2.0 \
     --hash=sha256:1e77424825caba5553bbade750cec2277ef130647d685c2b38f68bc03453bac6 \
     --hash=sha256:392b7c371312abf27fb549ec2d5e0092f7ef6e6c9f767bfb13e83cb903aca0fd \
@@ -606,7 +602,7 @@ shellingham==1.3.2 \
 six==1.15.0 \
     --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \
     --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced \
-    # via -r ../admin/requirements.in, ansible-lint, argon2-cffi, astroid, bandit, bcrypt, cfgv, click-completion, cryptography, docker-py, docker-pycreds, dparse, fasteners, git-url-parse, molecule, packaging, pathlib2, pip-tools, pre-commit, prompt-toolkit, pynacl, python-dateutil, stevedore, websocket-client
+    # via -r ../admin/requirements.in, ansible-lint, argon2-cffi, astroid, bandit, bcrypt, cfgv, click-completion, cryptography, docker, dparse, fasteners, git-url-parse, molecule, packaging, pathlib2, pip-tools, pre-commit, prompt-toolkit, pynacl, python-dateutil, stevedore, websocket-client
 smmap2==2.0.3 \
     --hash=sha256:b78ee0f1f5772d69ff50b1cbdb01b8c6647a8354f02f23b488cf4b2cfc923956 \
     --hash=sha256:c7530db63f15f09f8251094b22091298e82bf6c699a6b8344aaaef3f2e1276c3 \
@@ -681,7 +677,7 @@ wcwidth==0.1.7 \
 websocket-client==0.44.0 \
     --hash=sha256:15f585566e2ea7459136a632b9785aa081093064391878a448c382415e948d72 \
     --hash=sha256:91222bb3a22ba989ac87eec9121655f295dcb746b6207c5576ffa549ab69302c \
-    # via docker-py
+    # via docker
 whichcraft==0.4.1 \
     --hash=sha256:9e0d51c9387cb7e9f28b7edb549e6a03da758f7784f991eb4397d7f7808c57fd \
     --hash=sha256:cd0e10b58960ab877d9f273cd28788730936c3cdaceec2dafad97c7cf3067d46 \

From 339bb312ecfbcbab26e3582d46dac67b9223dda6 Mon Sep 17 00:00:00 2001
From: Kushal Das <mail@kushaldas.in>
Date: Thu, 17 Dec 2020 19:50:01 +0530
Subject: [PATCH 2/3] Fixes #5676 disable v2 onion addresses on restore on
 Focal

We filter out any v2 onion address related line from /etc/tor/torrc
and also the directories from /var/lib/tor/services. This will
happen only on Focal. On Xenial, everything stays the same.
---
 .../roles/restore/files/disable_v2.py         | 90 +++++++++++++++++++
 .../ansible-base/roles/restore/tasks/main.yml | 28 ++++++
 2 files changed, 118 insertions(+)
 create mode 100644 install_files/ansible-base/roles/restore/files/disable_v2.py

diff --git a/install_files/ansible-base/roles/restore/files/disable_v2.py b/install_files/ansible-base/roles/restore/files/disable_v2.py
new file mode 100644
index 00000000000..051980671e0
--- /dev/null
+++ b/install_files/ansible-base/roles/restore/files/disable_v2.py
@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+# To execute on prod:
+# python3 disable_v2.py /etc/tor/torrc /etc/tor/torrc
+# To execute for testing locally:
+# python3 disable_v2.py /etc/tor/torrc /tmp/dumytorrc
+import sys
+
+
+def filter_v2(filename):
+    # Read the file
+    with open(filename) as f:
+        data = f.readlines()
+    # We will store the filtered lines to result
+    result = []
+
+    i = 0
+    while i < len(data):
+        line = data[i]
+        if line == "HiddenServiceDir /var/lib/tor/services/source\n":
+            i += 1
+            while data[i].strip() == "":
+                i += 1
+            line = data[i]
+            if line == "HiddenServiceVersion 2\n":
+                i += 1
+                line = data[i]
+                while data[i].strip() == "":
+                    i += 1
+                line = data[i]
+                if line == "HiddenServicePort 80 127.0.0.1:80\n":
+                    i += 1
+                    continue
+        # Now check for journalist
+        if line == "HiddenServiceDir /var/lib/tor/services/journalist\n":
+            i += 1
+            while data[i].strip() == "":
+                i += 1
+            line = data[i]
+            if line == "HiddenServiceVersion 2\n":
+                i += 1
+                line = data[i]
+                while data[i].strip() == "":
+                    i += 1
+                line = data[i]
+                if line == "HiddenServicePort 80 127.0.0.1:8080\n":
+                    i += 1
+                    line = data[i]
+                    while data[i].strip() == "":
+                        i += 1
+                    line = data[i]
+                    if line == "HiddenServiceAuthorizeClient stealth journalist\n":
+                        i += 1
+                        continue
+        # Now the v2 ssh access
+        if line == "HiddenServiceDir /var/lib/tor/services/ssh\n":
+            i += 1
+            while data[i].strip() == "":
+                i += 1
+            line = data[i]
+            if line == "HiddenServiceVersion 2\n":
+                i += 1
+                line = data[i]
+                while data[i].strip() == "":
+                    i += 1
+                line = data[i]
+                if line == "HiddenServicePort 22 127.0.0.1:22\n":
+                    i += 1
+                    line = data[i]
+                    while data[i].strip() == "":
+                        i += 1
+                    line = data[i]
+                    if line == "HiddenServiceAuthorizeClient stealth admin\n":
+                        i += 1
+                        continue
+
+
+        result.append(line)
+        i += 1
+
+    # Now return the result
+    return result
+
+
+if __name__ == "__main__":
+    filename = sys.argv[1]
+    outputfilename = sys.argv[2]
+    result = filter_v2(filename)
+    with open(outputfilename, "w") as fobj:
+        for line in result:
+            fobj.write(line)
diff --git a/install_files/ansible-base/roles/restore/tasks/main.yml b/install_files/ansible-base/roles/restore/tasks/main.yml
index 70f66acbeef..dd33e8157a4 100644
--- a/install_files/ansible-base/roles/restore/tasks/main.yml
+++ b/install_files/ansible-base/roles/restore/tasks/main.yml
@@ -73,6 +73,34 @@
     name: apache2
     state: reloaded
 
+- name: Copy disable_v2.py script for Focal
+  copy:
+    src: "{{ role_path }}/files/disable_v2.py"
+    dest: /opt/disable_v2.py
+  when: ansible_distribution_release == 'focal'
+
+- name: Execute disable_v2 script on Focal
+  command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc
+  when: ansible_distribution_release == 'focal'
+
+- name: Remove v2 tor source directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/source
+  when: ansible_distribution_release == 'focal'
+
+- name: Remove v2 tor journalist directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/journalist
+  when: ansible_distribution_release == 'focal'
+
+- name: Remove disable_v2.py script on Focal
+  file:
+    state: absent
+    path: /opt/disable_v2.py
+  when: ansible_distribution_release == 'focal'
+
 - name: Reload Tor service
   service:
     name: tor

From 1066cd00791ec612eae469f574e04464bf4cb53a Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 18 Feb 2021 12:39:29 -0500
Subject: [PATCH 3/3] lint: remove extra blank line

---
 install_files/ansible-base/roles/restore/files/disable_v2.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/install_files/ansible-base/roles/restore/files/disable_v2.py b/install_files/ansible-base/roles/restore/files/disable_v2.py
index 051980671e0..d23da814ee9 100644
--- a/install_files/ansible-base/roles/restore/files/disable_v2.py
+++ b/install_files/ansible-base/roles/restore/files/disable_v2.py
@@ -73,7 +73,6 @@ def filter_v2(filename):
                         i += 1
                         continue
 
-
         result.append(line)
         i += 1