Updated testinfra tests and vars to remove v2 references

install_files/ansible-base/securedrop-tails.yml

@@ -22,6 +22,6 @@
 
           The Journalist Interface's Tor onion URL is: http://{{ journalist_iface.stdout }}
           The Source Interfaces's Tor onion URL is: http://{{ source_iface.stdout }}
-          {% if find_aths_info_result.matched > 1 %}
+          {% if find_v3_aths_info_result.matched > 1 %}
           SSH aliases are set up. You can use them with 'ssh app' and 'ssh mon'.
           {% endif %}

molecule/testinfra/app/test_tor_config.py

@@ -64,14 +64,11 @@ def test_tor_torrc_sandbox(host):
 
 
 @pytest.mark.skip_in_prod
-def test_tor_v2_onion_url_readable_by_app(host):
+def test_tor_v2_onion_url_file_absent(host):
     v2_url_filepath = "/var/lib/securedrop/source_v2_url"
     with host.sudo():
         f = host.file(v2_url_filepath)
-        assert f.is_file
-        assert f.user == "www-data"
-        assert f.mode == 0o644
-        assert re.search(r"^[a-z0-9]{16}\.onion$", f.content_string)
+        assert not f.exists
 
 
 @pytest.mark.skip_in_prod

molecule/testinfra/app/test_tor_hidden_services.py

@@ -26,9 +26,8 @@ def test_tor_service_directories(host, tor_service):
 @pytest.mark.parametrize('tor_service', sdvars.tor_services)
 def test_tor_service_hostnames(host, tor_service):
     """
-    Check contents of Tor service hostname file. For normal onion services,
-    the file should contain only hostname (.onion URL). For authenticated
-    onion services, it should also contain the HidServAuth cookie.
+    Check contents of Tor service hostname file. For v3 onion services,
+    the file should contain only hostname (.onion URL).
     """
     # Declare regex only for THS; we'll build regex for ATHS only if
     # necessary, since we won't have the required values otherwise.
@@ -46,22 +45,13 @@ def test_tor_service_hostnames(host, tor_service):
         # All hostnames should contain at *least* the hostname.
         assert re.search(ths_hostname_regex, f.content_string)
 
-        if tor_service['authenticated'] and tor_service['version'] == 2:
-            # HidServAuth regex is approximately [a-zA-Z0-9/+], but validating
-            # the entire entry is sane, and we don't need to nitpick the
-            # charset.
-            aths_hostname_regex = ths_hostname_regex + " .{22} # client: " + \
-                                  tor_service['client']
-            assert re.search("^{}$".format(aths_hostname_regex), f.content_string)
-        elif tor_service['authenticated'] and tor_service['version'] == 3:
+        if tor_service['authenticated'] and tor_service['version'] == 3:
             # For authenticated version 3 onion services, the authorized_client
             # directory will exist and contain a file called client.auth.
             client_auth = host.file(
                 "/var/lib/tor/services/{}/authorized_clients/client.auth".format(
                     tor_service['name']))
             assert client_auth.is_file
-        elif tor_service['version'] == 2:
-            assert re.search("^{}$".format(ths_hostname_regex), f.content_string)
         else:
             assert re.search("^{}$".format(ths_hostname_regex_v3), f.content_string)
 
@@ -75,12 +65,6 @@ def test_tor_services_config(host, tor_service):
 
       * HiddenServiceDir
       * HiddenServicePort
-
-    Only v2 authenticated onion services must also include:
-
-      * HiddenServiceAuthorizeClient
-
-    Check for each as appropriate.
     """
     f = host.file("/etc/tor/torrc")
     dir_regex = "HiddenServiceDir /var/lib/tor/services/{}".format(
@@ -94,29 +78,12 @@ def test_tor_services_config(host, tor_service):
     except IndexError:
         local_port = remote_port
 
-    # Ensure that service is hardcoded to v2, for compatibility
-    # with newer versions of Tor, which default to v3.
-    if tor_service['version'] == 2:
-        version_string = "HiddenServiceVersion 2"
-    else:
-        version_string = ""
-
     port_regex = "HiddenServicePort {} 127.0.0.1:{}".format(
             remote_port, local_port)
 
     assert f.contains("^{}$".format(dir_regex))
     assert f.contains("^{}$".format(port_regex))
 
-    if version_string:
-        service_regex = "\n".join([dir_regex, version_string, port_regex])
-    else:
-        service_regex = "\n".join([dir_regex, port_regex])
-
-    if tor_service['authenticated'] and tor_service['version'] == 2:
-        auth_regex = "HiddenServiceAuthorizeClient stealth {}".format(
-                tor_service['client'])
-        assert f.contains("^{}$".format(auth_regex))
-        service_regex += "\n{}".format(auth_regex)
-
     # Check for block in file, to ensure declaration order
+    service_regex = "\n".join([dir_regex, port_regex])
     assert service_regex in f.content_string

molecule/testinfra/vars/app-prod.yml

@@ -2,15 +2,9 @@
 mon_ip: 10.0.1.5
 
 tor_services:
-  - ssh
-  - source
-  - journalist
-
-tor_stealth_services:
-  - service: "HiddenServicePort 22 127.0.0.1:22"
-    stealth: admin
-  - service: "HiddenServicePort 80 127.0.0.1:8080"
-    stealth: journalist
+  - sshv3
+  - sourcev3
+  - journalistv3
 
 app_directories:
   - /var/www/securedrop

molecule/testinfra/vars/app-qubes-staging.yml

@@ -40,20 +40,6 @@ app_directories:
   - /var/lib/securedrop/tmp
 
 tor_services:
-  - name: source
-    ports:
-      - "80"
-    authenticated: no
-    version: 2
-
-  - name: journalist
-    ports:
-      - "80"
-      - "8080"
-    authenticated: yes
-    client: journalist
-    version: 2
-
   - name: journalistv3
     ports:
       - "80"

molecule/testinfra/vars/app-staging.yml

@@ -63,20 +63,6 @@ app_directories:
   - /var/lib/securedrop/tmp
 
 tor_services:
-  - name: source
-    ports:
-      - "80"
-    authenticated: no
-    version: 2
-
-  - name: journalist
-    ports:
-      - "80"
-      - "8080"
-    authenticated: yes
-    client: journalist
-    version: 2
-
   - name: journalistv3
     ports:
       - "80"

molecule/testinfra/vars/mon-prod.yml

@@ -7,11 +7,7 @@ app_hostname: app-prod
 app_ip: 10.0.1.4
 
 tor_services:
-  - ssh
-
-tor_stealth_services:
-  - service: "HiddenServicePort 22 127.0.0.1:22"
-    stealth: admin
+  - sshv3
 
 # Postfix should indeed be running on prod hosts, otherwise
 # OSSEC alerts cannot be delivered. It's disabled in staging.

molecule/testinfra/vars/prod.yml

@@ -63,20 +63,6 @@ app_directories:
   - /var/lib/securedrop/tmp
 
 tor_services:
-  - name: source
-    ports:
-      - "80"
-    authenticated: no
-    version: 2
-
-  - name: journalist
-    ports:
-      - "80"
-      - "8080"
-    authenticated: yes
-    client: journalist
-    version: 2
-
   - name: journalistv3
     ports:
       - "80"

molecule/testinfra/vars/prodVM.yml

@@ -62,20 +62,6 @@ app_directories:
   - /var/lib/securedrop/tmp
 
 tor_services:
-  - name: source
-    ports:
-      - "80"
-    authenticated: no
-    version: 2
-
-  - name: journalist
-    ports:
-      - "80"
-      - "8080"
-    authenticated: yes
-    client: journalist
-    version: 2
-
   - name: journalistv3
     ports:
       - "80"

molecule/testinfra/vars/qubes-staging.yml

@@ -64,20 +64,6 @@ app_directories:
   - /var/lib/securedrop/tmp
 
 tor_services:
-  - name: source
-    ports:
-      - "80"
-    authenticated: no
-    version: 2
-
-  - name: journalist
-    ports:
-      - "80"
-      - "8080"
-    authenticated: yes
-    client: journalist
-    version: 2
-
   - name: journalistv3
     ports:
       - "80"

molecule/testinfra/vars/staging.yml

@@ -64,20 +64,6 @@ app_directories:
   - /var/lib/securedrop/tmp
 
 tor_services:
-  - name: source
-    ports:
-      - "80"
-    authenticated: no
-    version: 2
-
-  - name: journalist
-    ports:
-      - "80"
-      - "8080"
-    authenticated: yes
-    client: journalist
-    version: 2
-
   - name: journalistv3
     ports:
       - "80"