Adds WSGIPassAuthorization header via postinst

In order to ensure config updates during scheduled nightly upgrades for 0.9.0, we must patch the Apache config in-place. The approach uses an in-place substitution on the journalist vhost config file, checking first for the presence of the line, and skipping the substitution is it's already found.
freedomofpress · Sep 4, 2018 · 855dd91 · 855dd91
1 parent 4cdaf69
commit 855dd91
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/install_files/securedrop-app-code/DEBIAN/postinst b/install_files/securedrop-app-code/DEBIAN/postinst
@@ -63,6 +63,19 @@ database_migration() {
     fi
 }
 
+# Supports passing authorization headers for the SecureDrop API.
+# Only affects the Journalist Interface. Required for unattended upgrade
+# to v0.9.0.
+function permit_wsgi_authorization() {
+    journalist_conf="/etc/apache2/sites-available/journalist.conf"
+    # First we check whether the line is present.
+    # Next we find a target line to anchor the insertion.
+    # Then we insert the line, along with the target line that was matched.
+    if ! grep -qP '^WSGIPassAuthorization' "$journalist_conf"; then
+        perl -pi -e 's/^(WSGIScriptAlias .*)/$1\nWSGIPassAuthorization On/' "$journalist_conf"
+    fi
+}
+
 case "$1" in
     configure)
     # Ensure SecureDrop's necessary directories are created
@@ -99,6 +112,9 @@ case "$1" in
     aa-enforce /etc/apparmor.d/usr.sbin.tor
     aa-enforce /etc/apparmor.d/usr.sbin.apache2
 
+    # Munge Apache config while service is stopped.
+    permit_wsgi_authorization
+
     # Restart apache so it loads with the apparmor profiles in enforce mode.
     service apache2 restart