Merge pull request #4231 from rmol/fix-4221

Try harder to attach to an existing tmux session
freedomofpress · Mar 14, 2019 · d154a43 · d154a43
2 parents daca1ff + 690f0e3
commit d154a43
Show file tree

Hide file tree

Showing 9 changed files with 77 additions and 33 deletions.
diff --git a/install_files/ansible-base/group_vars/securedrop_application_server.yml b/install_files/ansible-base/group_vars/securedrop_application_server.yml
@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-config-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-config-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-ossec-agent-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
   - "ossec-agent-3.0.0-amd64.deb"

diff --git a/install_files/ansible-base/group_vars/securedrop_monitor_server.yml b/install_files/ansible-base/group_vars/securedrop_monitor_server.yml
@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-config-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-config-0.1.3+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-ossec-server-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - ossec-server-3.0.0-amd64.deb
 

diff --git a/install_files/ansible-base/roles/common/files/bashrc_securedrop_additions b/install_files/ansible-base/roles/common/files/bashrc_securedrop_additions
diff --git a/install_files/ansible-base/roles/common/tasks/create_users.yml b/install_files/ansible-base/roles/common/tasks/create_users.yml
@@ -23,17 +23,6 @@
     - users
     - sudoers
 
-- name: Set SecureDrop bash profile additions.
-  copy:
-    src: bashrc_securedrop_additions
-    dest: /etc/profile.d/securedrop_additions.sh
-    owner: root
-    group: root
-    mode: "0644"
-  tags:
-    - users
-    - environment
-
 # Backwards-compatibility. Previously, the SecureDrop bashrc additions
 # for forcing a terminal multiplexer during interactive login sessions were
 # added to ~/.bashrc for each admin user account. It's cleaner to add the

diff --git a/install_files/securedrop-config/DEBIAN/control b/install_files/securedrop-config/DEBIAN/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
 Homepage: https://securedrop.org
 Package: securedrop-config
-Version: 0.1.2+0.13.0~rc1
+Version: 0.1.3+0.13.0~rc1
 Architecture: all
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.
diff --git a/install_files/securedrop-config/etc/profile.d/securedrop_additions.sh b/install_files/securedrop-config/etc/profile.d/securedrop_additions.sh
@@ -0,0 +1,22 @@
+[[ $- != *i* ]] && return
+
+which tmux >/dev/null 2>&1 || return
+
+tmux_attach_via_proc() {
+    # If the tmux package is upgraded during the lifetime of a
+    # session, attaching with the new binary can fail due to different
+    # protocol versions. This function attaches using the reference to
+    # the old executable found in the /proc tree of an existing
+    # session.
+    pid=$(pgrep --newest tmux)
+    if test -n "$pid"
+    then
+        /proc/$pid/exe attach
+    fi
+    return 1
+}
+
+if test -z "$TMUX"
+then
+    (tmux attach || tmux_attach_via_proc || tmux new-session)
+fi
diff --git a/molecule/builder-trusty/tests/test_securedrop_deb_package.py b/molecule/builder-trusty/tests/test_securedrop_deb_package.py
@@ -241,7 +241,7 @@ def test_deb_package_contains_expected_conffiles(host, deb):
     deb_package = host.file(deb.format(
         securedrop_test_vars.securedrop_version))
 
-    # Only relevant for the securedrop-app-code package:
+    # For the securedrop-app-code package:
     if "securedrop-app-code" in deb_package.path:
         tmpdir = tempfile.mkdtemp()
         # The `--raw-extract` flag includes `DEBIAN/` dir with control files
@@ -255,6 +255,12 @@ def test_deb_package_contains_expected_conffiles(host, deb):
         conffiles = f.content_string.rstrip()
         assert conffiles == "/var/www/securedrop/static/i/logo.png"
 
+    # For the securedrop-config package, we want to ensure there are no
+    # conffiles so securedrop_additions.sh is squashed every time
+    if "securedrop-config" in deb_package.path:
+        c = host.run("dpkg-deb -I {}".format(deb))
+        assert "conffiles" not in c.stdout
+
 
 @pytest.mark.parametrize("deb", deb_packages)
 def test_deb_package_contains_css(host, deb):
@@ -449,3 +455,21 @@ def test_ossec_binaries_are_present_server(host, deb):
         c = host.run("dpkg-deb --contents {}".format(deb_package.path))
         for wanted_file in wanted_files:
             assert wanted_file in c.stdout
+
+
+@pytest.mark.parametrize("deb", deb_packages)
+def test_config_package_contains_expected_files(host, deb):
+    """
+    Inspect the package contents to ensure all config files are included in
+    the package.
+    """
+    deb_package = host.file(deb.format(
+        securedrop_test_vars.securedrop_version))
+    if "securedrop-config" in deb_package.path:
+        wanted_files = [
+            "/etc/cron-apt/action.d/9-remove",
+            "/etc/profile.d/securedrop_additions.sh",
+        ]
+        c = host.run("dpkg-deb --contents {}".format(deb_package.path))
+        for wanted_file in wanted_files:
+            assert wanted_file in c.stdout
diff --git a/molecule/builder-trusty/tests/vars.yml b/molecule/builder-trusty/tests/vars.yml
@@ -2,7 +2,7 @@
 securedrop_version: "0.13.0~rc1"
 ossec_version: "3.0.0"
 keyring_version: "0.1.2"
-config_version: "0.1.2"
+config_version: "0.1.3"
 grsec_version: "4.4.167"
 
 # These values will be interpolated with values populated above

diff --git a/molecule/testinfra/staging/common/test_user_config.py b/molecule/testinfra/staging/common/test_user_config.py
@@ -1,4 +1,5 @@
 import re
+import textwrap
 
 
 def test_sudoers_config(host):
@@ -38,16 +39,33 @@ def test_sudoers_tmux_env(host):
     the corresponding settings there.
     """
 
-    f = host.file('/etc/profile.d/securedrop_additions.sh')
-    non_interactive_str = re.escape('[[ $- != *i* ]] && return')
-    tmux_check = re.escape('test -z "$TMUX" && (tmux attach ||'
-                           ' tmux new-session)')
+    host_file = host.file('/etc/profile.d/securedrop_additions.sh')
+    expected_content = textwrap.dedent(
+        """\
+        [[ $- != *i* ]] && return
 
-    assert f.contains("^{}$".format(non_interactive_str))
-    assert f.contains("^if which tmux >\/dev\/null 2>&1; then$")
+        which tmux >/dev/null 2>&1 || return
 
-    assert 'test -z "$TMUX" && (tmux attach || tmux new-session)' in f.content
-    assert f.contains(tmux_check)
+        tmux_attach_via_proc() {
+            # If the tmux package is upgraded during the lifetime of a
+            # session, attaching with the new binary can fail due to different
+            # protocol versions. This function attaches using the reference to
+            # the old executable found in the /proc tree of an existing
+            # session.
+            pid=$(pgrep --newest tmux)
+            if test -n "$pid"
+            then
+                /proc/$pid/exe attach
+            fi
+            return 1
+        }
+
+        if test -z "$TMUX"
+        then
+            (tmux attach || tmux_attach_via_proc || tmux new-session)
+        fi"""
+    )
+    assert host_file.content_string == expected_content
 
 
 def test_tmux_installed(host):