SecureDrop validate role fails on Tails 3.3

[msheiny]

Bug

Description

Under Tails 3.3 - the validate script will bomb out because it is trying to shell out to nslookup but the deb package dnsutils is not installed.

A short summary of the issue.

Steps to Reproduce

Under a fresh tails 3.3:

• clone down securedrop, cd into that directory
• run ./securedrop-admin setup
• run ./securedrop-admin sdconfig or ./securedrop-admin install

Expected Behavior

You'll get prompted for variables and everything should pass validation.

Actual Behavior

The validation role bombs out with the following output:

TASK [validate : Perform SMTP lookup check.] *******************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "cmd": ["torify", "nslookup", "-vc", "-retry=3", "-timeout=10", "-fail", "mail.electricembers.net", "8.8.8.8"], "delta": "0:00:00.029899", "end": "2017-11-20 16:01:33.483484", "failed": true, "rc": 1, "start": "2017-11-20 16:01:33.453585", "stderr": "ERROR: nslookup cannot be found.", "stderr_lines": ["ERROR: nslookup cannot be found."], "stdout": "", "stdout_lines": []}
...ignoring

TASK [validate : Validate SMTP relay connection.] **************************************************************
fatal: [localhost]: FAILED! => {
    "assertion": false, 
    "changed": false, 
    "evaluated_to": false, 
    "failed": true, 
    "msg": "The SMTP relay domain failed during lookup. This domain is the server contacted for authentication in order to send OSSEC email notifications. You should manually edit the file `group_vars/all/site-specific` and confirm that the `smtp_relay` var is set correctly."
}
	to retry, use: --limit @/home/amnesia/Persistent/securedrop/install_files/ansible-base/securedrop-configure.retry

Comments

We really shouldn't be shellin' out and instead should be taking advantage of either the dig lookup or stop using ansible and use python scripts. As the fastest short-term work-around we could install dnsutils during the setup step.

[conorsch]

The solution proposed in aa22719 is not a sufficient patch, given that the securedrop-admin skips apt package installation if the virtualenv already exists. Any PR closing this issue should also address that shortcoming, otherwise we break Tails 3.3 for preexisting Admin Workstations.

[msheiny]

yeah i totally agree @conorsch - its not a sufficient patch it was just a hot-fix for a new install but this issue should definitely be left open

[conorsch]

Even if we modify the apt install logic to run every time, we're still breaking Tails 3.3, since the dnsutils apt package will not persist across reboots. Therefore we should investigate replacing the nslookup shell-out calls with Ansible built-ins. We can more easily provide persistence for addition Python requirements, so adding pip libraries to the Admin requirements files will only require running ./securedrop-admin setup once after upgrading to 0.5.