From 855dd91e5dbf5741e53a6f20ffb75498eb2acee6 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 4 Sep 2018 10:36:35 -0700 Subject: [PATCH] Adds WSGIPassAuthorization header via postinst In order to ensure config updates during scheduled nightly upgrades for 0.9.0, we must patch the Apache config in-place. The approach uses an in-place substitution on the journalist vhost config file, checking first for the presence of the line, and skipping the substitution is it's already found. --- .../securedrop-app-code/DEBIAN/postinst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/install_files/securedrop-app-code/DEBIAN/postinst b/install_files/securedrop-app-code/DEBIAN/postinst index 3fc413be0f7..a36a72ed888 100755 --- a/install_files/securedrop-app-code/DEBIAN/postinst +++ b/install_files/securedrop-app-code/DEBIAN/postinst @@ -63,6 +63,19 @@ database_migration() { fi } +# Supports passing authorization headers for the SecureDrop API. +# Only affects the Journalist Interface. Required for unattended upgrade +# to v0.9.0. +function permit_wsgi_authorization() { + journalist_conf="/etc/apache2/sites-available/journalist.conf" + # First we check whether the line is present. + # Next we find a target line to anchor the insertion. + # Then we insert the line, along with the target line that was matched. + if ! grep -qP '^WSGIPassAuthorization' "$journalist_conf"; then + perl -pi -e 's/^(WSGIScriptAlias .*)/$1\nWSGIPassAuthorization On/' "$journalist_conf" + fi +} + case "$1" in configure) # Ensure SecureDrop's necessary directories are created @@ -99,6 +112,9 @@ case "$1" in aa-enforce /etc/apparmor.d/usr.sbin.tor aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # Munge Apache config while service is stopped. + permit_wsgi_authorization + # Restart apache so it loads with the apparmor profiles in enforce mode. service apache2 restart