feat(securedrop-admin): configure securedrop_app_allow_document_uploads

freedomofpress · Sep 29, 2019 · adae044 · adae044
1 parent 45839df
commit adae044
Show file tree

Hide file tree

Showing 7 changed files with 47 additions and 0 deletions.
diff --git a/admin/securedrop_admin/__init__.py b/admin/securedrop_admin/__init__.py
@@ -320,6 +320,12 @@ def __init__(self, args):
              SiteConfig.ValidateNotEmpty(),
              None,
              lambda config: True],
+            ['securedrop_app_allow_document_uploads', True, bool,
+             u'Whether to allow sources to submit documents as well '
+             'as messages',
+             SiteConfig.ValidateYesNo(),
+             lambda x: x.lower() == 'yes',
+             lambda config: True],
             ['securedrop_app_gpg_public_key', 'SecureDrop.asc', str,
              u'Local filepath to public key for '
              'SecureDrop Application GPG public key',

diff --git a/admin/tests/files/site-specific b/admin/tests/files/site-specific
@@ -9,6 +9,7 @@ ossec_gpg_fpr: E99FFE83DF73E72FB6B264ED992D23B392F9E4F2
 sasl_domain: gnu.com
 sasl_password: passowrdok
 sasl_username: usernameok
+securedrop_app_allow_document_uploads: true
 securedrop_app_gpg_fingerprint: E99FFE83DF73E72FB6B264ED992D23B392F9E4F2
 securedrop_app_gpg_public_key: key.asc
 securedrop_app_https_on_source_interface: false

diff --git a/admin/tests/test_integration.py b/admin/tests/test_integration.py
@@ -32,6 +32,7 @@
 sasl_domain: gmail.com
 sasl_password: testpassword
 sasl_username: testuser
+securedrop_app_allow_document_uploads: true
 securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58
 securedrop_app_gpg_public_key: sd_admin_test.pub
 securedrop_app_https_certificate_cert_src: ''
@@ -64,6 +65,7 @@
 sasl_domain: gmail.com
 sasl_password: testpassword
 sasl_username: testuser
+securedrop_app_allow_document_uploads: true
 securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58
 securedrop_app_gpg_public_key: sd_admin_test.pub
 securedrop_app_https_certificate_cert_src: ''
@@ -96,6 +98,7 @@
 sasl_domain: gmail.com
 sasl_password: testpassword
 sasl_username: testuser
+securedrop_app_allow_document_uploads: true
 securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58
 securedrop_app_gpg_public_key: sd_admin_test.pub
 securedrop_app_https_certificate_cert_src: ''
@@ -128,6 +131,7 @@
 sasl_domain: gmail.com
 sasl_password: testpassword
 sasl_username: testuser
+securedrop_app_allow_document_uploads: true
 securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58
 securedrop_app_gpg_public_key: sd_admin_test.pub
 securedrop_app_https_certificate_cert_src: ''
@@ -160,6 +164,7 @@
 sasl_domain: gmail.com
 sasl_password: testpassword
 sasl_username: testuser
+securedrop_app_allow_document_uploads: true
 securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58
 securedrop_app_gpg_public_key: sd_admin_test.pub
 securedrop_app_https_certificate_cert_src: sd.crt
@@ -233,6 +238,11 @@ def verify_dns_prompt(child):
     assert ANSI_ESCAPE.sub('', child.buffer) == ' 8.8.8.8'  # Expected default
 
 
+def verify_app_allow_document_uploads_prompt(child):
+    child.expect(r'Whether to allow sources to submit documents as well as messages\:', timeout=2)  # noqa: E501
+    assert ANSI_ESCAPE.sub('', child.buffer) == ' yes'  # Expected default
+
+
 def verify_app_gpg_key_prompt(child):
     child.expect('Local filepath to public key for SecureDrop Application GPG public key\:', timeout=2)  # noqa: E501
 
@@ -348,6 +358,9 @@ def test_sdconfig_on_first_run():
     child.sendline('')
     verify_dns_prompt(child)
     child.sendline('')
+    verify_app_allow_document_uploads_prompt(child)
+    # Default answer is yes
+    child.sendline('')
     verify_app_gpg_key_prompt(child)
     child.sendline('\b' * 14 + 'sd_admin_test.pub')
     verify_https_prompt(child)
@@ -410,6 +423,9 @@ def test_sdconfig_both_v2_v3_true():
     child.sendline('')
     verify_dns_prompt(child)
     child.sendline('')
+    verify_app_allow_document_uploads_prompt(child)
+    # Default answer is yes
+    child.sendline('')
     verify_app_gpg_key_prompt(child)
     child.sendline('\b' * 14 + 'sd_admin_test.pub')
     verify_https_prompt(child)
@@ -472,6 +488,9 @@ def test_sdconfig_only_v2_true():
     child.sendline('')
     verify_dns_prompt(child)
     child.sendline('')
+    verify_app_allow_document_uploads_prompt(child)
+    # Default answer is yes
+    child.sendline('')
     verify_app_gpg_key_prompt(child)
     child.sendline('\b' * 14 + 'sd_admin_test.pub')
     verify_https_prompt(child)
@@ -534,6 +553,9 @@ def test_sdconfig_enable_journalist_alerts():
     child.sendline('')
     verify_dns_prompt(child)
     child.sendline('')
+    verify_app_allow_document_uploads_prompt(child)
+    # Default answer is yes
+    child.sendline('')
     verify_app_gpg_key_prompt(child)
     child.sendline('\b' * 14 + 'sd_admin_test.pub')
     verify_https_prompt(child)
@@ -601,6 +623,9 @@ def test_sdconfig_enable_https_on_source_interface():
     child.sendline('')
     verify_dns_prompt(child)
     child.sendline('')
+    verify_app_allow_document_uploads_prompt(child)
+    # Default answer is yes
+    child.sendline('')
     verify_app_gpg_key_prompt(child)
     child.sendline('\b' * 14 + 'sd_admin_test.pub')
     verify_https_prompt(child)

diff --git a/admin/tests/test_securedrop-admin.py b/admin/tests/test_securedrop-admin.py
@@ -858,6 +858,8 @@ def auto_prompt(prompt, default, **kwargs):
     verify_prompt_monitor_hostname = verify_desc_consistency
     verify_prompt_dns_server = verify_desc_consistency
 
+    verify_prompt_securedrop_app_allow_document_uploads = \
+        verify_prompt_boolean
     verify_prompt_securedrop_app_https_on_source_interface = \
         verify_prompt_boolean
     verify_prompt_enable_ssh_over_tor = verify_prompt_boolean

diff --git a/install_files/ansible-base/prod-specific.yml b/install_files/ansible-base/prod-specific.yml
@@ -20,6 +20,7 @@ app_ip: ""
 # and zero spaces, e.g. "B89A29DB2128160B8E4B1B4CBADDE0C7FC9F6818"
 securedrop_app_gpg_public_key: ""
 securedrop_app_gpg_fingerprint: ""
+securedrop_app_allow_document_uploads: True
 
 ### Used by the mon role ###
 # The OSSEC alert GPG public key has to be in the install_files/ansible-base/ or

diff --git a/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml b/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml
@@ -169,3 +169,11 @@
   when: securedrop_supported_locales is defined
   tags:
     - securedrop_config
+
+- name: Dis/allow document uploads in config.py.
+  lineinfile:
+    dest: "{{ securedrop_code }}/config.py"
+    regexp: "^ALLOW_DOCUMENT_UPLOADS"
+    line: "ALLOW_DOCUMENT_UPLOADS = {{ securedrop_app_allow_document_uploads }}"
+  tags:
+    - securedrop_config
diff --git a/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml b/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml
@@ -95,3 +95,7 @@
   when:
     - v3_onion_services
     - v3_journalist_auth_file.stat.exists
+
+- name: Default securedrop_app_allow_document_uploads to true
+  set_fact:
+    securedrop_app_allow_document_uploads: {{ securedrop_app_allow_document_uploads | default(True) }}