From 3d86cd2293b64c6b019e4eaf1b4ab243255dd10d Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Wed, 21 Aug 2019 13:18:10 -0700
Subject: [PATCH] Supports SSH-over-LAN in v2->v3 Onion migration

The dynamic logic to accommodate for SSH-over-LAN includes the
"restrict-direct-access" role, which assumes that Onion Services already
exist on the remote host. That's not the case when migrating from v2 to
v3 Onion services, so let's override the dynamic include logic to
instruct the role *not* to wait for the hostname files to be created.

Later in the playbook, the restrict-direct-access role will run without
the override, fetching back the client auth config that now exists,
since the tor role will also have run by this point.
---
 .../roles/restrict-direct-access/defaults/main.yml           | 5 +++++
 .../ansible-base/roles/restrict-direct-access/tasks/main.yml | 1 +
 install_files/ansible-base/securedrop-prod.yml               | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml b/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml
index 49ef6e62f85..73d3c8917b3 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/defaults/main.yml
@@ -21,6 +21,11 @@ admin_net_int:
     cmd: "/sbin/route -n get "
     rgx: "(?<=interface: )\\w+"
 
+# Whether to fetch back client-auth settings from the remote hosts.
+# We make this conditional to support disabling during dynamic role includes,
+# required for the ssh-over-lan strategy.
+fetch_tor_client_auth_configs: true
+
 # v2 Tor onion services are on / v3 Tor onion services are off by default for backwards
 # compatibility. Note that new install after 1.0 will have v3 enabled by sdconfig which
 # will override these variables.
diff --git a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
index 1127edf4b34..2be2d68ca2f 100644
--- a/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
+++ b/install_files/ansible-base/roles/restrict-direct-access/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 - include: fetch_tor_config.yml
+  when: fetch_tor_client_auth_configs
 
 - include: dh_moduli.yml
 
diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml
index 6526173f94c..87b8421912e 100755
--- a/install_files/ansible-base/securedrop-prod.yml
+++ b/install_files/ansible-base/securedrop-prod.yml
@@ -37,6 +37,9 @@
     - name: Include restrict role early when using ssh over localnet
       include_role:
         name: restrict-direct-access
+      vars:
+        # Don't wait for tor client auth, might not exist yet
+        fetch_tor_client_auth_configs: false
       when:
         - not enable_ssh_over_tor
         - sd_dir_check.stat.exists