Release SecureDrop 1.4.1

[zenmonkeykstop]

This is a tracking issue for the release of SecureDrop 1.4.1

String and feature freeze: N/A (no string changes)
String comment period: N/A (no string changes)
Translation period: N/A (no string changes)
Pre-release announcement: 2020-06-25
Translation freeze: N/A (no string changes)
Release date: 2020-06-25

Release manager: @zenmonkeykstop
Deputy release manager: @emkll
Localization manager: N/A
Deputy localization manager: N/A

SecureDrop maintainers and testers: As you QA 1.4.1, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 1.4.1 milestone for tracking (or ask a maintainer to do so).

Test debian packages will not be posted for this release, as there are no server-side code changes. Cron-apt scenarios may still be tested, but the FPF repo should be left at apt.freedom.press, and the application version will stay at 1.4.0 until the pre-flight phase of QA

QA Matrix for 1.4.1

Test Plan for 1.4.1

Prepare release candidate (1.4.1~rc1)

• Prepare 1.4.1~rc1 release changelog
• Branch off release/1.4.1 from release/1.4.0 (as this is a point release)
• Prepare 1.4.1~rc1
• Build debs and put up 1.4.1~rc1 on test apt server (this is now done via a PR into this repository) - SKIPPED - no serverside code changes, will build final release version only
• Commit build logs to https://github.com/freedomofpress/build-logs SKIPPED - see above

After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and 1.4.1-specific testing below in comments to this ticket.

Final release

• Ensure builder in release branch is updated and/or update builder image Update builder image #5340
• Push signed tag
• Build final Debian packages for 1.4.1 (and preserve build logs)
• Commit package build logs to https://github.com/freedomofpress/build-logs
• Upload Debian packages to apt QA server (including new tor packages)
• Pre-Flight: Test install and upgrade (both cron-apt on Xenial, and Ansible on Xenial) of 1.4.1 works w/ prod repo debs, test updater logic in Tails
• Flip apt QA server to prod status
• merge the release branch changes to master and verify new docs build
• Prepare and distribute release messaging

Post release

• Create GitHub release object
• Merge changelog back to develop Backport 1.4.1 changelog to develop #5344
• Update upgrade testing boxes
• Update roadmap wiki page

[emkll]

Clean install, VMs (Complete)

• Install target: Vagrant VMs
• Tails version: 3.7
• Test Scenario: Clean Install
• SSH over Tor: Yes
• Onion service version: v3
• Release candidate: 1.4.1-rc1 (with 1.4.0 debs)
• General notes:

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• QA Matrix checks pass

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.4.0 and restore this backup on 1.4.1
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication (DID NOT TEST)

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.4.1-specific changes

securedrop-admin install fix

#5335 - fresh install:

• On an Admin Workstation, check out the latest RC tag, run ./securedrop-admin setup.
• Run ./securedrop-admin install:
  • Command exits immediately with message: Please run "securedrop-admin sdconfig"
• Run ./securedrop-admin sdconfig, using instance-appropriate settings except for the v2 and v3 boolean options - attempt to choose no for both of those.
  • Message is displayed informing user that since they chose not to enable v2 they must enable v3
• Choose yes for v3 and exit. Run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Hit Ctrl-C to exit without installing. Run ./securedrop-admin sdconfig, again this time choosing yes for both v2 and v3. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Hit Ctrl-C to exit without installing. Run ./securedrop-admin sdconfig, again this time choosing yes v2 and no for v3. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Hit Ctrl-C to exit without installing. Edit the file ~/Persistent/securedrop/install_files/ansible-base/group-vars/all/site-specific, changing the value for v2_onion_services from true to kitten. Run securedrop-admin install
  • Command fails with an error message must be either yes or no
• Run ./securedrop-admin sdconfig, changing kitten to yes for v2 and leaving v3 as no. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Enter server admin password and complete installation. Then run ./securedrop-admin tailsconfig
  • Installation completes successfully
  • v2 services are enabled, v3 services are disabled, and SSH and desktop shortcuts work as expected.

#5335 - v2-only cron-apt update: - DID NOT TEST

• On an Admin Workstation, check out the latest RC tag.
• Edit the file ~/Persistent/securedrop/install_files/ansible-base/group-vars/all/site-specific, changing the value for v2_onion_services from true to kitten. Run securedrop-admin install
  • Command fails with an error message must be either yes or no
• Run ./securedrop-admin sdconfig, changing kitten to yes for v2, leaving v3 as no, and adding an extra language option. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Enter server admin password and complete installation:
  • Installation completes successfully
  • v2 services are enabled, v3 services are disabled, and SSH and desktop shortcuts work as expected.
  • extra language option is available in dropdown on Source and Journalist Interfaces.

[zenmonkeykstop]

QA plan

We're only testing on VMs and NUCs. The only expected change in the release is the behaviour of the securedrop-admin utility during configuration and installation, so the 1.4.1-specific changes section should be completed first.

1.4.1 QA Checklist

For both upgrades and fresh installs, here is a list of functionality
that requires testing. You can use this for copy/pasting into your QA
report. Feel free to edit this message to update the plan as
appropriate.

If you have submitted a QA report already for a 1.4.1 release
candidate with successful [[Basic Server Testing]] and [[Application
Acceptance Testing]], then you can skip these sections in subsequent
reports, unless otherwise indicated by the Release Manager. This is to
ensure that you focus your QA effort on the 1.4.1-specific changes as
well as changes since the previous release candidate.

Environment

• Install target: NUC5
• Tails version: 4.7
• Test Scenario: fresh
• SSH over Tor: no
• Onion service version: v2
• Release candidate: rc1
• General notes:

Basic Server Testing

• I can access both the source and journalist interfaces
• I can SSH into both machines over Tor
• AppArmor is loaded on app
  • 0 processes are running unconfined
• AppArmor is loaded on mon
  • 0 processes are running unconfined
• Both servers are running grsec kernels
• iptables rules loaded
• OSSEC emails begin to flow after install
• OSSEC emails are decrypted to correct key and I am able to decrypt them
• QA Matrix checks pass

Command Line User Generation

• Can successfully add admin user and login

Administration

• I have backed up and successfully restored the app server following the backup documentation
• If doing upgrade testing, make a backup on 1.4.0 and restore this backup on 1.4.1
• "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
• Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases

• JS warning bar does not appear when using Security Slider high
• JS warning bar does appear when using Security Slider Low

First submission base cases

• On generate page, refreshing codename produces a new 7-word codename
• On submit page, empty submissions produce flashed message
• On submit page, short message submitted successfully
• On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
• On submit page, file less than 500 MB submitted successfully

Returning source base cases

• Nonexistent codename cannot log in
• Empty codename cannot log in
• Legitimate codename can log in
• Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

• Can log in with 2FA tokens
• incorrect password cannot log in
• invalid 2fa token cannot log in
• 2fa immediate reuse cannot log in
• Journalist account with HOTP can log in

Index base cases

• Filter by codename works
• Starring and unstarring works
• Click select all selects all submissions
• Selecting all and clicking "Download" works

Individual source page

• You can submit a reply and a flashed message and new row appears
• You cannot submit an empty reply
• Clicking "Delete Source And Submissions" and the source and docs are deleted
• You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

• The Updater GUI appears on boot
• Updating occurs without issue

1.4.1-specific changes

securedrop-admin install fix

#5335 - fresh install:

• On an Admin Workstation, check out the latest RC tag, run ./securedrop-admin setup.
• Run ./securedrop-admin install:
  • Command exits immediately with message: Please run "securedrop-admin sdconfig"
• Run ./securedrop-admin sdconfig, using instance-appropriate settings except for the v2 and v3 boolean options - attempt to choose no for both of those.
  • Message is displayed informing user that since they chose not to enable v2 they must enable v3
• Choose yes for v3 and exit. Run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Hit Ctrl-C to exit without installing. Run ./securedrop-admin sdconfig, again this time choosing yes for both v2 and v3. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Hit Ctrl-C to exit without installing. Run ./securedrop-admin sdconfig, again this time choosing yes v2 and no for v3. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Hit Ctrl-C to exit without installing. Edit the file ~/Persistent/securedrop/install_files/ansible-base/group-vars/all/site-specific, changing the value for v2_onion_services from true to kitten. Run securedrop-admin install
  • Command fails with an error message must be either yes or no
• Run ./securedrop-admin sdconfig, changing kitten to yes for v2 and leaving v3 as no. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Enter server admin password and complete installation. Then run ./securedrop-admin tailsconfig
  • Installation completes successfully
  • v2 services are enabled, v3 services are disabled, and SSH and desktop shortcuts work as expected.

#5335 - v2-only cron-apt update:

• On an Admin Workstation, check out the latest RC tag.
• Edit the file ~/Persistent/securedrop/install_files/ansible-base/group-vars/all/site-specific, changing the value for v2_onion_services from true to kitten. Run securedrop-admin install
  • Command fails with an error message must be either yes or no
• Run ./securedrop-admin sdconfig, changing kitten to yes for v2, leaving v3 as no, and adding an extra language option. Then run ./securedrop-admin install
  • Command starts successfully, user is prompted for server admin password
• Enter server admin password and complete installation:
  • Installation completes successfully
  • v2 services are enabled, v3 services are disabled, and SSH and desktop shortcuts work as expected.
  • extra language option is available in dropdown on Source and Journalist Interfaces.

Preflight

• Ensure the builder image is up-to-date on release day

These tests should be performed the day of release prior to live debian packages on apt.freedom.press.

Basic testing

• Install or upgrade occurs without error
• Source interface is available and version string indicates it is 1.4.1
• A message can be successfully submitted

Tails

• The updater GUI appears on boot
• The update successfully occurs to 1.4.1
• After reboot, updater GUI no longer appears