diff --git a/admin/securedrop_admin/__init__.py b/admin/securedrop_admin/__init__.py index 906c79b1651..57c9b1b729c 100755 --- a/admin/securedrop_admin/__init__.py +++ b/admin/securedrop_admin/__init__.py @@ -320,6 +320,12 @@ def __init__(self, args): SiteConfig.ValidateNotEmpty(), None, lambda config: True], + ['securedrop_app_allow_document_uploads', True, bool, + u'Whether to allow sources to submit documents as well ' + 'as messages', + SiteConfig.ValidateYesNo(), + lambda x: x.lower() == 'yes', + lambda config: True], ['securedrop_app_gpg_public_key', 'SecureDrop.asc', str, u'Local filepath to public key for ' 'SecureDrop Application GPG public key', diff --git a/admin/tests/files/site-specific b/admin/tests/files/site-specific index c335c14b3ce..0def6933053 100644 --- a/admin/tests/files/site-specific +++ b/admin/tests/files/site-specific @@ -9,6 +9,7 @@ ossec_gpg_fpr: E99FFE83DF73E72FB6B264ED992D23B392F9E4F2 sasl_domain: gnu.com sasl_password: passowrdok sasl_username: usernameok +securedrop_app_allow_document_uploads: true securedrop_app_gpg_fingerprint: E99FFE83DF73E72FB6B264ED992D23B392F9E4F2 securedrop_app_gpg_public_key: key.asc securedrop_app_https_on_source_interface: false diff --git a/admin/tests/test_integration.py b/admin/tests/test_integration.py index 3df4c0eb57a..ed8e248dd54 100644 --- a/admin/tests/test_integration.py +++ b/admin/tests/test_integration.py @@ -32,6 +32,7 @@ sasl_domain: gmail.com sasl_password: testpassword sasl_username: testuser +securedrop_app_allow_document_uploads: true securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58 securedrop_app_gpg_public_key: sd_admin_test.pub securedrop_app_https_certificate_cert_src: '' @@ -64,6 +65,7 @@ sasl_domain: gmail.com sasl_password: testpassword sasl_username: testuser +securedrop_app_allow_document_uploads: true securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58 securedrop_app_gpg_public_key: sd_admin_test.pub securedrop_app_https_certificate_cert_src: '' @@ -96,6 +98,7 @@ sasl_domain: gmail.com sasl_password: testpassword sasl_username: testuser +securedrop_app_allow_document_uploads: true securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58 securedrop_app_gpg_public_key: sd_admin_test.pub securedrop_app_https_certificate_cert_src: '' @@ -128,6 +131,7 @@ sasl_domain: gmail.com sasl_password: testpassword sasl_username: testuser +securedrop_app_allow_document_uploads: true securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58 securedrop_app_gpg_public_key: sd_admin_test.pub securedrop_app_https_certificate_cert_src: '' @@ -160,6 +164,7 @@ sasl_domain: gmail.com sasl_password: testpassword sasl_username: testuser +securedrop_app_allow_document_uploads: true securedrop_app_gpg_fingerprint: 1F544B31C845D698EB31F2FF364F1162D32E7E58 securedrop_app_gpg_public_key: sd_admin_test.pub securedrop_app_https_certificate_cert_src: sd.crt @@ -233,6 +238,11 @@ def verify_dns_prompt(child): assert ANSI_ESCAPE.sub('', child.buffer) == ' 8.8.8.8' # Expected default +def verify_app_allow_document_uploads_prompt(child): + child.expect(r'Whether to allow sources to submit documents as well as messages\:', timeout=2) # noqa: E501 + assert ANSI_ESCAPE.sub('', child.buffer) == ' yes' # Expected default + + def verify_app_gpg_key_prompt(child): child.expect('Local filepath to public key for SecureDrop Application GPG public key\:', timeout=2) # noqa: E501 @@ -348,6 +358,9 @@ def test_sdconfig_on_first_run(): child.sendline('') verify_dns_prompt(child) child.sendline('') + verify_app_allow_document_uploads_prompt(child) + # Default answer is yes + child.sendline('') verify_app_gpg_key_prompt(child) child.sendline('\b' * 14 + 'sd_admin_test.pub') verify_https_prompt(child) @@ -410,6 +423,9 @@ def test_sdconfig_both_v2_v3_true(): child.sendline('') verify_dns_prompt(child) child.sendline('') + verify_app_allow_document_uploads_prompt(child) + # Default answer is yes + child.sendline('') verify_app_gpg_key_prompt(child) child.sendline('\b' * 14 + 'sd_admin_test.pub') verify_https_prompt(child) @@ -472,6 +488,9 @@ def test_sdconfig_only_v2_true(): child.sendline('') verify_dns_prompt(child) child.sendline('') + verify_app_allow_document_uploads_prompt(child) + # Default answer is yes + child.sendline('') verify_app_gpg_key_prompt(child) child.sendline('\b' * 14 + 'sd_admin_test.pub') verify_https_prompt(child) @@ -534,6 +553,9 @@ def test_sdconfig_enable_journalist_alerts(): child.sendline('') verify_dns_prompt(child) child.sendline('') + verify_app_allow_document_uploads_prompt(child) + # Default answer is yes + child.sendline('') verify_app_gpg_key_prompt(child) child.sendline('\b' * 14 + 'sd_admin_test.pub') verify_https_prompt(child) @@ -601,6 +623,9 @@ def test_sdconfig_enable_https_on_source_interface(): child.sendline('') verify_dns_prompt(child) child.sendline('') + verify_app_allow_document_uploads_prompt(child) + # Default answer is yes + child.sendline('') verify_app_gpg_key_prompt(child) child.sendline('\b' * 14 + 'sd_admin_test.pub') verify_https_prompt(child) diff --git a/admin/tests/test_securedrop-admin.py b/admin/tests/test_securedrop-admin.py index 7a876c1c447..6ff7b050d62 100644 --- a/admin/tests/test_securedrop-admin.py +++ b/admin/tests/test_securedrop-admin.py @@ -858,6 +858,8 @@ def auto_prompt(prompt, default, **kwargs): verify_prompt_monitor_hostname = verify_desc_consistency verify_prompt_dns_server = verify_desc_consistency + verify_prompt_securedrop_app_allow_document_uploads = \ + verify_prompt_boolean verify_prompt_securedrop_app_https_on_source_interface = \ verify_prompt_boolean verify_prompt_enable_ssh_over_tor = verify_prompt_boolean diff --git a/install_files/ansible-base/prod-specific.yml b/install_files/ansible-base/prod-specific.yml index a24ee766b5f..31d5f85a3f4 100644 --- a/install_files/ansible-base/prod-specific.yml +++ b/install_files/ansible-base/prod-specific.yml @@ -20,6 +20,7 @@ app_ip: "" # and zero spaces, e.g. "B89A29DB2128160B8E4B1B4CBADDE0C7FC9F6818" securedrop_app_gpg_public_key: "" securedrop_app_gpg_fingerprint: "" +securedrop_app_allow_document_uploads: True ### Used by the mon role ### # The OSSEC alert GPG public key has to be in the install_files/ansible-base/ or diff --git a/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml b/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml index 5df014a3dd0..52a6b091c36 100644 --- a/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml +++ b/install_files/ansible-base/roles/app/tasks/initialize_securedrop_app.yml @@ -169,3 +169,11 @@ when: securedrop_supported_locales is defined tags: - securedrop_config + +- name: Dis/allow document uploads in config.py. + lineinfile: + dest: "{{ securedrop_code }}/config.py" + regexp: "^ALLOW_DOCUMENT_UPLOADS" + line: "ALLOW_DOCUMENT_UPLOADS = {{ securedrop_app_allow_document_uploads }}" + tags: + - securedrop_config diff --git a/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml b/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml index 5f689f2dd11..9abf0aae586 100644 --- a/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml +++ b/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml @@ -95,3 +95,7 @@ when: - v3_onion_services - v3_journalist_auth_file.stat.exists + +- name: Default securedrop_app_allow_document_uploads to true + set_fact: + securedrop_app_allow_document_uploads: {{ securedrop_app_allow_document_uploads | default(True) }}