Refactor key management and encryption and remove CryptoUtil

Fix the tests Save new key's fingerprint to Redis Implement encrypt and decrypt methods Remove TODO Some more changes Implement some more tests Fix remaining tests fix Finalized test suite Run black Linting Tweak Revert new variable name AppArmor Fix teardown code Disable GPG passphrase cache in all locations Restire existing behavior Move test-only config to corresponding fixtures lint flake8 Fix echo commands for GPG agent conf Explicitely set USE_X_SENDFILE to False in tests lint Use pytest fixture for functional tests config Switch back to function scope for config fixture Fix tests Fix tests Fix tests mypy Fix typo Fix last test
freedomofpress · Nov 16, 2021 · 6132be7 · 6132be7
1 parent d15c70d
commit 6132be7
Show file tree

Hide file tree

Showing 30 changed files with 850 additions and 698 deletions.
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2 b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2
@@ -165,10 +165,10 @@
   /var/www/securedrop/__pycache__/ rw,
   /var/www/securedrop/__pycache__/* rw,
   /var/www/securedrop/config.py r,
-  /var/www/securedrop/crypto_util.py r,
   /var/www/securedrop/db.py r,
   /var/www/securedrop/dictionaries/adjectives.txt r,
   /var/www/securedrop/dictionaries/nouns.txt r,
+  /var/www/securedrop/encryption.py r,
   /var/www/securedrop/execution.py r,
   /var/www/securedrop/i18n.py r,
   /var/www/securedrop/journalist.py r,

diff --git a/install_files/securedrop-app-code/debian/postinst b/install_files/securedrop-app-code/debian/postinst
@@ -132,10 +132,14 @@ case "$1" in
         if ! grep -qE '^allow-loopback-pinentry$' /var/lib/securedrop/keys/gpg-agent.conf; then
             echo allow-loopback-pinentry >> /var/lib/securedrop/keys/gpg-agent.conf
         fi
+        if ! grep -qE '^default-cache-ttl 0$' /var/lib/securedrop/keys/gpg-agent.conf; then
+            echo 'default-cache-ttl 0' >> /var/lib/securedrop/keys/gpg-agent.conf
+        fi
 
     else
         # gpg-agent.conf does not yet exist, create it.
         echo allow-loopback-pinentry > /var/lib/securedrop/keys/gpg-agent.conf
+        echo 'default-cache-ttl 0' >> /var/lib/securedrop/keys/gpg-agent.conf
     fi
 
     # Migrate private keyring to gpg2.1 if needed

diff --git a/securedrop/bin/dev-deps b/securedrop/bin/dev-deps
@@ -64,6 +64,7 @@ function reset_demo() {
 
     # Create gpg-agent.conf
     echo allow-loopback-pinentry > /var/lib/securedrop/keys/gpg-agent.conf
+    echo 'default-cache-ttl 0' >> /var/lib/securedrop/keys/gpg-agent.conf
 
     # Kill gpg-agent(s) if they exist so it picks up the new config on restart.
     pkill -f gpg-agent || true

diff --git a/securedrop/crypto_util.py b/securedrop/crypto_util.py