Merge pull request #4092 from freedomofpress/4031-v2-explicit-v2-onio…

…n-services Explicitly declare onion services as v2 for existing installs
freedomofpress · Feb 4, 2019 · 97e98fa · 97e98fa
2 parents 7997acc + 17a8fa3
commit 97e98fa
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 2 deletions.
diff --git a/install_files/securedrop-config/DEBIAN/postinst b/install_files/securedrop-config/DEBIAN/postinst
@@ -39,6 +39,16 @@ allow_apt_user_in_iptables() {
            "$rules_v4"
     fi
 }
+# Tor 0.3.5.x series now defaults to v3 onion URLs, but SecureDrop currently
+# uses v2 onion URLs. We must explictly set this definition in torrc to avoid
+# breakage when upgrading from Tor 0.3.4.x to 0.3.5.x.
+set_v2_hidserv_in_torrc() {
+    if [ -f /etc/tor/torrc ]; then
+        if ! grep -q HiddenServiceVersion /etc/tor/torrc ; then
+            perl -pi -e 's/^(HiddenServiceDir.*)$/$1\nHiddenServiceVersion 2/' /etc/tor/torrc
+        fi
+    fi
+}
 
 manage_tor_repo_config() {
     # Ensure official Tor repo entry is removed, so that only FPF mirror is used.
@@ -69,6 +79,7 @@ case "$1" in
     fi
 
     allow_apt_user_in_iptables
+    set_v2_hidserv_in_torrc
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)

diff --git a/molecule/testinfra/staging/app/test_tor_hidden_services.py b/molecule/testinfra/staging/app/test_tor_hidden_services.py
@@ -54,7 +54,7 @@ def test_tor_service_hostnames(File, Sudo, tor_service):
 
 
 @pytest.mark.parametrize('tor_service', sdvars.tor_services)
-def test_tor_services_config(File, tor_service):
+def test_tor_services_config(host, tor_service):
     """
     Ensure torrc file contains relevant lines for Hidden Service declarations.
     All hidden services must include:
@@ -68,7 +68,7 @@ def test_tor_services_config(File, tor_service):
 
     Check for each as appropriate.
     """
-    f = File("/etc/tor/torrc")
+    f = host.file("/etc/tor/torrc")
     dir_regex = "HiddenServiceDir /var/lib/tor/services/{}".format(
         tor_service['name'])
     # We need at least one port, but it may be used for both config values.
@@ -80,13 +80,23 @@ def test_tor_services_config(File, tor_service):
     except IndexError:
         local_port = remote_port
 
+    # Ensure that service is hardcoded to v2, for compatibility
+    # with newer versions of Tor, which default to v3.
+    version_string = "HiddenServiceVersion 2"
+
     port_regex = "HiddenServicePort {} 127.0.0.1:{}".format(
             remote_port, local_port)
 
     assert f.contains("^{}$".format(dir_regex))
     assert f.contains("^{}$".format(port_regex))
 
+    service_regex = "\n".join([dir_regex, version_string, port_regex])
+
     if tor_service['authenticated']:
         auth_regex = "HiddenServiceAuthorizeClient stealth {}".format(
                 tor_service['client'])
         assert f.contains("^{}$".format(auth_regex))
+        service_regex += "\n{}".format(auth_regex)
+
+    # Check for block in file, to ensure declaration order
+    assert service_regex in f.content_string