Merge pull request #4167 from freedomofpress/4161-force-apparmor-prof…

…iles-in-app-code-deb-package Re-enables unattended upgrades to AppArmor profiles
freedomofpress · Feb 22, 2019 · 66452c3 · 66452c3
2 parents d887972 + 5e7e3c6
commit 66452c3
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 59 deletions.
diff --git a/install_files/ansible-base/roles/app-test/defaults/main.yml b/install_files/ansible-base/roles/app-test/defaults/main.yml
@@ -1,9 +1,4 @@
 ---
-# Whether to set the Apache AppArmor profiles to "complain".
-# Can aid in debugging the AppArmor profiles, but also permits
-# misconfigurations, and so should be used with caution.
-securedrop_app_test_apparmor_complain: False
-
 # Username for Apache service, used to set permissions on the
 # Source Interface config to enable logging in the staging environment.
 apache_user: www-data

diff --git a/install_files/ansible-base/roles/app-test/tasks/apparmor_complain.yml b/install_files/ansible-base/roles/app-test/tasks/apparmor_complain.yml
diff --git a/install_files/ansible-base/roles/app-test/tasks/main.yml b/install_files/ansible-base/roles/app-test/tasks/main.yml
@@ -4,11 +4,6 @@
   tags:
     - apache
 
-- include: apparmor_complain.yml
-  when: securedrop_app_test_apparmor_complain
-  tags:
-    - aa-complain
-
 - include: dev_setup_xvfb_for_functional_tests.yml
 
 - include: setup_firefox_for_selenium.yml

diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules
@@ -21,3 +21,9 @@ endif
 
 override_dh_gencontrol:
 	dh_gencontrol -- $(SUBSTVARS)
+
+# Move the conffile in version control to squash the autogenerated one by debhelper, as files in /etc/ are automatically marked as conffiles.
+# We are shipping AppArmor profiles via this package, and want them to be correctly updated with each update.
+override_dh_installdeb:
+	dh_installdeb
+	cp ${CURDIR}/debian/conffiles ${CURDIR}/debian/securedrop-app-code/DEBIAN/
diff --git a/molecule/builder-trusty/tests/test_securedrop_deb_package.py b/molecule/builder-trusty/tests/test_securedrop_deb_package.py
@@ -1,6 +1,7 @@
 import pytest
 import os
 import re
+import tempfile
 
 
 SECUREDROP_TARGET_PLATFORM = os.environ.get("SECUREDROP_TARGET_PLATFORM", "trusty")
@@ -228,6 +229,33 @@ def test_deb_package_contains_no_generated_assets(host, deb):
         assert not re.search("^.*css.map$", c.stdout, re.M)
 
 
+@pytest.mark.parametrize("deb", deb_packages)
+def test_deb_package_contains_expected_conffiles(host, deb):
+    """
+    Ensures the `securedrop-app-code` package declares only whitelisted
+    `conffiles`. Several files in `/etc/` would automatically be marked
+    conffiles, which would break unattended updates to critical package
+    functionality such as AppArmor profiles. This test validates overrides
+    in the build logic to unset those conffiles.
+    """
+    deb_package = host.file(deb.format(
+        securedrop_test_vars.securedrop_version))
+
+    # Only relevant for the securedrop-app-code package:
+    if "securedrop-app-code" in deb_package.path:
+        tmpdir = tempfile.mkdtemp()
+        # The `--raw-extract` flag includes `DEBIAN/` dir with control files
+        host.run("dpkg-deb --raw-extract {} {}".format(deb, tmpdir))
+        conffiles_path = os.path.join(tmpdir, "DEBIAN", "conffiles")
+        f = host.file(conffiles_path)
+
+        assert f.is_file
+        # Ensure that the entirety of the file lists only the logo as conffile;
+        # effectively ensures e.g. AppArmor profiles are not conffiles.
+        conffiles = f.content_string.rstrip()
+        assert conffiles == "/var/www/securedrop/static/i/logo.png"
+
+
 @pytest.mark.parametrize("deb", deb_packages)
 def test_deb_package_contains_css(host, deb):
     """