From b9a6fa38d52cebd78d41d365b86eb6317bf831f5 Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Sat, 24 Apr 2021 13:01:32 -0400 Subject: [PATCH] Updated testinfra tests and vars to remove v2 references --- molecule/testinfra/app/test_tor_config.py | 7 +--- .../testinfra/app/test_tor_hidden_services.py | 41 ++----------------- molecule/testinfra/vars/app-prod.yml | 12 ++---- molecule/testinfra/vars/app-qubes-staging.yml | 14 ------- molecule/testinfra/vars/app-staging.yml | 14 ------- molecule/testinfra/vars/mon-prod.yml | 6 +-- molecule/testinfra/vars/prod.yml | 14 ------- molecule/testinfra/vars/prodVM.yml | 14 ------- molecule/testinfra/vars/qubes-staging.yml | 14 ------- molecule/testinfra/vars/staging.yml | 14 ------- 10 files changed, 10 insertions(+), 140 deletions(-) diff --git a/molecule/testinfra/app/test_tor_config.py b/molecule/testinfra/app/test_tor_config.py index a3f769d4767..9c0a57e3c44 100644 --- a/molecule/testinfra/app/test_tor_config.py +++ b/molecule/testinfra/app/test_tor_config.py @@ -64,14 +64,11 @@ def test_tor_torrc_sandbox(host): @pytest.mark.skip_in_prod -def test_tor_v2_onion_url_readable_by_app(host): +def test_tor_v2_onion_url_file_absent(host): v2_url_filepath = "/var/lib/securedrop/source_v2_url" with host.sudo(): f = host.file(v2_url_filepath) - assert f.is_file - assert f.user == "www-data" - assert f.mode == 0o644 - assert re.search(r"^[a-z0-9]{16}\.onion$", f.content_string) + assert not f.exists @pytest.mark.skip_in_prod diff --git a/molecule/testinfra/app/test_tor_hidden_services.py b/molecule/testinfra/app/test_tor_hidden_services.py index 1b74e59800b..6a952882490 100644 --- a/molecule/testinfra/app/test_tor_hidden_services.py +++ b/molecule/testinfra/app/test_tor_hidden_services.py @@ -26,9 +26,8 @@ def test_tor_service_directories(host, tor_service): @pytest.mark.parametrize('tor_service', sdvars.tor_services) def test_tor_service_hostnames(host, tor_service): """ - Check contents of Tor service hostname file. For normal onion services, - the file should contain only hostname (.onion URL). For authenticated - onion services, it should also contain the HidServAuth cookie. + Check contents of Tor service hostname file. For v3 onion services, + the file should contain only hostname (.onion URL). """ # Declare regex only for THS; we'll build regex for ATHS only if # necessary, since we won't have the required values otherwise. @@ -46,22 +45,13 @@ def test_tor_service_hostnames(host, tor_service): # All hostnames should contain at *least* the hostname. assert re.search(ths_hostname_regex, f.content_string) - if tor_service['authenticated'] and tor_service['version'] == 2: - # HidServAuth regex is approximately [a-zA-Z0-9/+], but validating - # the entire entry is sane, and we don't need to nitpick the - # charset. - aths_hostname_regex = ths_hostname_regex + " .{22} # client: " + \ - tor_service['client'] - assert re.search("^{}$".format(aths_hostname_regex), f.content_string) - elif tor_service['authenticated'] and tor_service['version'] == 3: + if tor_service['authenticated'] and tor_service['version'] == 3: # For authenticated version 3 onion services, the authorized_client # directory will exist and contain a file called client.auth. client_auth = host.file( "/var/lib/tor/services/{}/authorized_clients/client.auth".format( tor_service['name'])) assert client_auth.is_file - elif tor_service['version'] == 2: - assert re.search("^{}$".format(ths_hostname_regex), f.content_string) else: assert re.search("^{}$".format(ths_hostname_regex_v3), f.content_string) @@ -75,12 +65,6 @@ def test_tor_services_config(host, tor_service): * HiddenServiceDir * HiddenServicePort - - Only v2 authenticated onion services must also include: - - * HiddenServiceAuthorizeClient - - Check for each as appropriate. """ f = host.file("/etc/tor/torrc") dir_regex = "HiddenServiceDir /var/lib/tor/services/{}".format( @@ -94,29 +78,12 @@ def test_tor_services_config(host, tor_service): except IndexError: local_port = remote_port - # Ensure that service is hardcoded to v2, for compatibility - # with newer versions of Tor, which default to v3. - if tor_service['version'] == 2: - version_string = "HiddenServiceVersion 2" - else: - version_string = "" - port_regex = "HiddenServicePort {} 127.0.0.1:{}".format( remote_port, local_port) assert f.contains("^{}$".format(dir_regex)) assert f.contains("^{}$".format(port_regex)) - if version_string: - service_regex = "\n".join([dir_regex, version_string, port_regex]) - else: - service_regex = "\n".join([dir_regex, port_regex]) - - if tor_service['authenticated'] and tor_service['version'] == 2: - auth_regex = "HiddenServiceAuthorizeClient stealth {}".format( - tor_service['client']) - assert f.contains("^{}$".format(auth_regex)) - service_regex += "\n{}".format(auth_regex) - # Check for block in file, to ensure declaration order + service_regex = "\n".join([dir_regex, port_regex]) assert service_regex in f.content_string diff --git a/molecule/testinfra/vars/app-prod.yml b/molecule/testinfra/vars/app-prod.yml index 9543eb97fb6..f525a6e9956 100644 --- a/molecule/testinfra/vars/app-prod.yml +++ b/molecule/testinfra/vars/app-prod.yml @@ -2,15 +2,9 @@ mon_ip: 10.0.1.5 tor_services: - - ssh - - source - - journalist - -tor_stealth_services: - - service: "HiddenServicePort 22 127.0.0.1:22" - stealth: admin - - service: "HiddenServicePort 80 127.0.0.1:8080" - stealth: journalist + - sshv3 + - sourcev3 + - journalistv3 app_directories: - /var/www/securedrop diff --git a/molecule/testinfra/vars/app-qubes-staging.yml b/molecule/testinfra/vars/app-qubes-staging.yml index 8e2a218e401..434e5067040 100644 --- a/molecule/testinfra/vars/app-qubes-staging.yml +++ b/molecule/testinfra/vars/app-qubes-staging.yml @@ -40,20 +40,6 @@ app_directories: - /var/lib/securedrop/tmp tor_services: - - name: source - ports: - - "80" - authenticated: no - version: 2 - - - name: journalist - ports: - - "80" - - "8080" - authenticated: yes - client: journalist - version: 2 - - name: journalistv3 ports: - "80" diff --git a/molecule/testinfra/vars/app-staging.yml b/molecule/testinfra/vars/app-staging.yml index 39fafc5d7fc..ee58e2a5f43 100644 --- a/molecule/testinfra/vars/app-staging.yml +++ b/molecule/testinfra/vars/app-staging.yml @@ -63,20 +63,6 @@ app_directories: - /var/lib/securedrop/tmp tor_services: - - name: source - ports: - - "80" - authenticated: no - version: 2 - - - name: journalist - ports: - - "80" - - "8080" - authenticated: yes - client: journalist - version: 2 - - name: journalistv3 ports: - "80" diff --git a/molecule/testinfra/vars/mon-prod.yml b/molecule/testinfra/vars/mon-prod.yml index 3228fa51dfd..76def8ca0ae 100644 --- a/molecule/testinfra/vars/mon-prod.yml +++ b/molecule/testinfra/vars/mon-prod.yml @@ -7,11 +7,7 @@ app_hostname: app-prod app_ip: 10.0.1.4 tor_services: - - ssh - -tor_stealth_services: - - service: "HiddenServicePort 22 127.0.0.1:22" - stealth: admin + - sshv3 # Postfix should indeed be running on prod hosts, otherwise # OSSEC alerts cannot be delivered. It's disabled in staging. diff --git a/molecule/testinfra/vars/prod.yml b/molecule/testinfra/vars/prod.yml index 9ccd6fe5fec..79dc33ee601 100644 --- a/molecule/testinfra/vars/prod.yml +++ b/molecule/testinfra/vars/prod.yml @@ -63,20 +63,6 @@ app_directories: - /var/lib/securedrop/tmp tor_services: - - name: source - ports: - - "80" - authenticated: no - version: 2 - - - name: journalist - ports: - - "80" - - "8080" - authenticated: yes - client: journalist - version: 2 - - name: journalistv3 ports: - "80" diff --git a/molecule/testinfra/vars/prodVM.yml b/molecule/testinfra/vars/prodVM.yml index 660cee59365..3f0cff57512 100644 --- a/molecule/testinfra/vars/prodVM.yml +++ b/molecule/testinfra/vars/prodVM.yml @@ -62,20 +62,6 @@ app_directories: - /var/lib/securedrop/tmp tor_services: - - name: source - ports: - - "80" - authenticated: no - version: 2 - - - name: journalist - ports: - - "80" - - "8080" - authenticated: yes - client: journalist - version: 2 - - name: journalistv3 ports: - "80" diff --git a/molecule/testinfra/vars/qubes-staging.yml b/molecule/testinfra/vars/qubes-staging.yml index 4f681ea5423..9c5f47aa04f 100644 --- a/molecule/testinfra/vars/qubes-staging.yml +++ b/molecule/testinfra/vars/qubes-staging.yml @@ -64,20 +64,6 @@ app_directories: - /var/lib/securedrop/tmp tor_services: - - name: source - ports: - - "80" - authenticated: no - version: 2 - - - name: journalist - ports: - - "80" - - "8080" - authenticated: yes - client: journalist - version: 2 - - name: journalistv3 ports: - "80" diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml index 6582a1042c4..8dfe408e063 100644 --- a/molecule/testinfra/vars/staging.yml +++ b/molecule/testinfra/vars/staging.yml @@ -64,20 +64,6 @@ app_directories: - /var/lib/securedrop/tmp tor_services: - - name: source - ports: - - "80" - authenticated: no - version: 2 - - - name: journalist - ports: - - "80" - - "8080" - authenticated: yes - client: journalist - version: 2 - - name: journalistv3 ports: - "80"