From 2c37173155836481b31a9daafc195105db8b710e Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Thu, 8 Apr 2021 20:15:56 -0400
Subject: [PATCH 1/2] Updated restore playbook to validate tor config after v2
 removal

---
 .../roles/restore/files/disable_v2.py         | 89 -------------------
 .../roles/restore/tasks/cleanup_v2.yml        | 50 ++++++++---
 2 files changed, 39 insertions(+), 100 deletions(-)
 delete mode 100644 install_files/ansible-base/roles/restore/files/disable_v2.py

diff --git a/install_files/ansible-base/roles/restore/files/disable_v2.py b/install_files/ansible-base/roles/restore/files/disable_v2.py
deleted file mode 100644
index d23da814ee..0000000000
--- a/install_files/ansible-base/roles/restore/files/disable_v2.py
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/usr/bin/env python3
-# To execute on prod:
-# python3 disable_v2.py /etc/tor/torrc /etc/tor/torrc
-# To execute for testing locally:
-# python3 disable_v2.py /etc/tor/torrc /tmp/dumytorrc
-import sys
-
-
-def filter_v2(filename):
-    # Read the file
-    with open(filename) as f:
-        data = f.readlines()
-    # We will store the filtered lines to result
-    result = []
-
-    i = 0
-    while i < len(data):
-        line = data[i]
-        if line == "HiddenServiceDir /var/lib/tor/services/source\n":
-            i += 1
-            while data[i].strip() == "":
-                i += 1
-            line = data[i]
-            if line == "HiddenServiceVersion 2\n":
-                i += 1
-                line = data[i]
-                while data[i].strip() == "":
-                    i += 1
-                line = data[i]
-                if line == "HiddenServicePort 80 127.0.0.1:80\n":
-                    i += 1
-                    continue
-        # Now check for journalist
-        if line == "HiddenServiceDir /var/lib/tor/services/journalist\n":
-            i += 1
-            while data[i].strip() == "":
-                i += 1
-            line = data[i]
-            if line == "HiddenServiceVersion 2\n":
-                i += 1
-                line = data[i]
-                while data[i].strip() == "":
-                    i += 1
-                line = data[i]
-                if line == "HiddenServicePort 80 127.0.0.1:8080\n":
-                    i += 1
-                    line = data[i]
-                    while data[i].strip() == "":
-                        i += 1
-                    line = data[i]
-                    if line == "HiddenServiceAuthorizeClient stealth journalist\n":
-                        i += 1
-                        continue
-        # Now the v2 ssh access
-        if line == "HiddenServiceDir /var/lib/tor/services/ssh\n":
-            i += 1
-            while data[i].strip() == "":
-                i += 1
-            line = data[i]
-            if line == "HiddenServiceVersion 2\n":
-                i += 1
-                line = data[i]
-                while data[i].strip() == "":
-                    i += 1
-                line = data[i]
-                if line == "HiddenServicePort 22 127.0.0.1:22\n":
-                    i += 1
-                    line = data[i]
-                    while data[i].strip() == "":
-                        i += 1
-                    line = data[i]
-                    if line == "HiddenServiceAuthorizeClient stealth admin\n":
-                        i += 1
-                        continue
-
-        result.append(line)
-        i += 1
-
-    # Now return the result
-    return result
-
-
-if __name__ == "__main__":
-    filename = sys.argv[1]
-    outputfilename = sys.argv[2]
-    result = filter_v2(filename)
-    with open(outputfilename, "w") as fobj:
-        for line in result:
-            fobj.write(line)
diff --git a/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
index cd90f5d0e2..8eda314cf7 100644
--- a/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
+++ b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
@@ -1,12 +1,46 @@
 ---
-- name: Copy disable_v2.py script
+- name: Backup torrc file
   copy:
-    src: "{{ role_path }}/files/disable_v2.py"
-    dest: /opt/disable_v2.py
+    src: /etc/tor/torrc
+    dest: /etc/tor/torrc.bak
+    remote_src: yes
   when: ("V3 services only" in compare_result.stdout)
 
-- name: Execute disable_v2 script
-  command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc
+- name: Remove v2 service definitions from torrc.
+  shell: >
+    awk '!/HiddenServiceVersion 2/'
+    RS="HiddenServiceDir" ORS="HiddenServiceDir"
+    /etc/tor/torrc.bak > /etc/tor/torrc
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Check Tor config
+  command: tor --verify-config
+  register: tor_verify
+  become_user: debian-tor
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Verify that Tor config is valid
+  assert:
+    that:
+      - "'Configuration was valid' in tor_verify.stdout"
+    fail_msg:
+      - "Removal of obsolete V2 configuration blocks failed - the new"
+      - "configuration file is invalid."
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Verify that V2 config directives are removed
+  assert:
+    that:
+      - "'Onion service version 2 are deprecated' not in tor_verify.stdout"
+    fail_msg:
+      - "V2 configurations were not successfully removed. Please review /etc/tor/torrc"
+      - "and manually remove any v2 service definitions."
+  when: ("V3 services only" in compare_result.stdout)
+
+- name: Remove backup torrc file
+  file:
+    state: absent
+    path: /etc/tor/torrc.bak
   when: ("V3 services only" in compare_result.stdout)
 
 - name: Remove v2 tor source directory
@@ -32,9 +66,3 @@
     state: absent
     path: /var/lib/securedrop/source_v2_url
   when: ("V3 services only" in compare_result.stdout)
-
-- name: Remove disable_v2.py script
-  file:
-    state: absent
-    path: /opt/disable_v2.py
-  when: ("V3 services only" in compare_result.stdout)

From c8b432f8bc3dd6c2db1885f08e8bf5b8ef3cfa09 Mon Sep 17 00:00:00 2001
From: Kevin O'Gorman <kog@freedom.press>
Date: Fri, 9 Apr 2021 16:02:29 -0400
Subject: [PATCH 2/2] removed stray HiddenServiceDir directive

---
 install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
index 8eda314cf7..eda1845edc 100644
--- a/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
+++ b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml
@@ -10,7 +10,7 @@
   shell: >
     awk '!/HiddenServiceVersion 2/'
     RS="HiddenServiceDir" ORS="HiddenServiceDir"
-    /etc/tor/torrc.bak > /etc/tor/torrc
+    /etc/tor/torrc.bak | sed '$d' > /etc/tor/torrc
   when: ("V3 services only" in compare_result.stdout)
 
 - name: Check Tor config