Build Rust redwood wheel during packaging process

Use maturin to build the redwood wheel and then install it into the virtualenv shipped in the Debian package. A testinfra check is added that verifies the redwood wheel is importable and is able to generate a key pair. Fixes #6817.
freedomofpress · Jun 27, 2023 · 8b9a94f · 8b9a94f
1 parent 89259d9
commit 8b9a94f
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 2 deletions.
diff --git a/builder/build-debs-securedrop.sh b/builder/build-debs-securedrop.sh
@@ -9,6 +9,7 @@ set -euxo pipefail
 
 # Make a copy of the source tree since we do destructive operations on it
 cp -R /src/securedrop /srv/securedrop
+cp -R /src/redwood /srv/redwood
 cd /srv/securedrop/
 
 # Control the version of setuptools used in the default construction of virtual environments

diff --git a/builder/tests/test_securedrop_deb_package.py b/builder/tests/test_securedrop_deb_package.py
@@ -9,6 +9,7 @@
     subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode().strip()
 )
 DEB_PATHS = list((SECUREDROP_ROOT / "build/focal").glob("*.deb"))
+SITE_PACKAGES = "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
 
 
 @pytest.fixture(scope="module")
@@ -69,6 +70,7 @@ def test_deb_package_contains_expected_conffiles(deb: Path):
         "/var/www/securedrop/.well-known/pki-validation/",
         "/var/www/securedrop/translations/messages.pot",
         "/var/www/securedrop/translations/de_DE/LC_MESSAGES/messages.mo",
+        f"{SITE_PACKAGES}/redwood/redwood.cpython-38-x86_64-linux-gnu.so",
     ),
 )
 def test_app_code_paths(securedrop_app_code_contents: str, path: str):

diff --git a/molecule/testinfra/app/test_smoke.py b/molecule/testinfra/app/test_smoke.py
@@ -1,6 +1,8 @@
 """
 Basic smoke tests that verify the apps are functioning as expected
 """
+import json
+
 import pytest
 import testutils
 
@@ -31,3 +33,19 @@ def test_interface_up(host, name, url, curl_flags):
                 assert "nopenopenope" in f.content_string
     assert "200 OK" in response
     assert "Powered by" in response
+
+
+def test_redwood(host):
+    """
+    Verify the redwood wheel was built and installed properly and basic
+    functionality works
+    """
+    response = host.run(
+        "/opt/venvs/securedrop-app-code/bin/python3 -c "
+        "'import redwood; import json; print("
+        'json.dumps(redwood.generate_source_key_pair("abcde", "test@invalid")))\''
+    )
+    parsed = json.loads(response.stdout)
+    assert "-----BEGIN PGP PUBLIC KEY BLOCK-----" in parsed[0]
+    assert "-----BEGIN PGP PRIVATE KEY BLOCK-----" in parsed[1]
+    assert len(parsed[2]) == 40
diff --git a/securedrop/debian/redwood.sh b/securedrop/debian/redwood.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -ex
+
+# We create the virtualenv separately from the "pip install" commands below,
+# to make error-reporting a bit more obvious. We also update beforehand,
+# beyond what the system version provides, see #6317.
+python3 -m venv /tmp/redwood-venv
+/tmp/redwood-venv/bin/pip3 install -r \
+<(echo "pip==21.3
+--hash=sha256:4a1de8f97884ecfc10b48fe61c234f7e7dcf4490a37217011ad9369d899ad5a6
+--hash=sha256:741a61baab1dbce2d8ca415effa48a2b6a964564f81a9f4f1fce4c433346c034")
+
+# Install dependencies
+# TODO: are we okay using an upstream wheel?
+/tmp/redwood-venv/bin/pip3 install --no-deps --require-hashes -r requirements/python3/build-requirements.txt
+
+# Build the wheel
+/tmp/redwood-venv/bin/maturin build --manifest-path /srv/redwood/Cargo.toml --release
+ls -l /srv/redwood/target/wheels
diff --git a/securedrop/debian/rules b/securedrop/debian/rules
@@ -21,6 +21,8 @@ override_dh_installdeb:
 	echo "" > ${CURDIR}/debian/securedrop-keyring/DEBIAN/conffiles
 
 override_dh_auto_install:
+	# Build redwood wheel
+	bash ./debian/redwood.sh
 	# Set up virtualenv and install dependencies
 	/usr/bin/python3 -m venv ./debian/securedrop-app-code/opt/venvs/securedrop-app-code
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
@@ -29,6 +31,8 @@ override_dh_auto_install:
 		pip==21.3
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
 		-r requirements/python3/requirements.txt
+	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
+		/srv/redwood/target/wheels/redwood-*.whl
 	# Update paths to point to install destination
 	find ./debian/securedrop-app-code/ -type f -exec sed -i "s#$(shell pwd)/debian/securedrop-app-code##" {} \;
 	dh_auto_install $@

diff --git a/securedrop/debian/translations.sh b/securedrop/debian/translations.sh
@@ -1,8 +1,6 @@
 #!/bin/bash
 set -ex
 
-export PATH="${PATH}:/root/.cargo/bin"
-
 # We create the virtualenv separately from the "pip install" commands below,
 # to make error-reporting a bit more obvious. We also update beforehand,
 # beyond what the system version provides, see #6317.