Updates v3 fail-fast logic for admins

We're aiming to fail early if an Admin runs the install action against a server with v3 configured, but without having run sdconfig to enable v3 (indicates multiple Admins). Updated the monstrous filter line to pull out the booleans, then inspect that list in an assert statement. Seems to be working as expected, will test with multiple configuration paths prior to squashing. Better support for "staging" scenario, which has v3_onion_services=true, but enable_ssh_over_tor=false, so mon-staging was failing the check. Updated to accommodate. If no onions exist, don't fail: we're about to set them up!
freedomofpress · Aug 20, 2019 · 49d69c2 · 49d69c2
1 parent dbc85df
commit 49d69c2
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/...iles/ansible-base/roles/tor-hidden-services/tasks/check_tor_service_config_for_admins.yml b/...iles/ansible-base/roles/tor-hidden-services/tasks/check_tor_service_config_for_admins.yml
@@ -11,27 +11,30 @@
   register: _v3_services_existence_check_result
   with_items: "{{ tor_instances_v3 }}"
 
-  # Returns a list of booleans; should be ["True"] if v3 is enabled in sdconfig,
-  # otherwise ["False"]
+  # Returns a list of booleans, one boolean for each v3 service, denoting whether
+  # a config currently exists for that service.
 - name: Store info about existing v3 service state
   set_fact:
-    _v3_services_state_info: "{{ _v3_services_state_info|extract('exists')|unique }}"
-
-- name: Debug the v3 service state lookup
-  debug:
-    var: _v3_services_state_info
+    _v3_services_state_info: "{{ _v3_services_existence_check_result.results|map(attribute='stat')|map(attribute='exists')|list }}"
 
   # Fail if v3 service configs exist, but v3_onion_services is not enabled.
   # If v3 service configs do not exist, but v3_onion_services is enabled,
   # we're configuring the v3 services for the first time, so don't fail.
 - name: Confirm service state matches declared config
   assert:
     that: >
-      (True in _v3_services_state_info and v3_onion_services) or
-      (True not in _v3_services_state_info and not v3_onion_services)
-    fail_msg: >
+      (true in _v3_services_state_info and v3_onion_services) or
+      (true not in _v3_services_state_info and not v3_onion_services)
+    msg: >
       ERROR. The 'sdconfig' settings do not specify v3 Onion Services,
       but v3 Onion Services were found on the server. If your SecureDrop
       instance has multiple Administrators, contact the other Administrators
       to request the Tor v3 Onion Service config information. You must copy
-      the '*ths' files to this workstation, then re-run the install action.
+      the 'tor_v3_keys.json' and '*.auth_private' files to this workstation,
+      then re-run the install action.
+  when:
+    # In staging, Monitor Server will have 0 (SSH-over-Tor disabled)
+    - tor_instances_v3|length > 0
+    # Only run if we're connected over Tor (i.e. enabling v3 after v2).
+    # If we're not connected over Tor, this is a first-run.
+    - (ansible_host|default(ansible_ssh_host)).endswith('.onion')