[QA 1.7.0] Admin actions for user management trigger 500

[conorsch]

Description

When attempting to edit an existing user account via the Journalist Interface, I see a 500 error.

Steps to Reproduce

1. Perform clean install of 1.7.0~rc1
2. Via sdconfig, add zh_Hans & zh_Hant to supported languages (unsure if this is necessary, but that's what I did)
3. Log in as admin user, attempt to add a new user for via the Journalist Interface.
4. Log in as admin user, attempt to edit user config for logged in user (e.g. to modify totp code)
5. Observe 500.

Expected Behavior

Can add new user successfully, or can edit existing user account successfully.

Actual Behavior

Server throws a 500. I opened a terminal in the prod appvm and screenshotted /var/log/apache2/journalist-error.log

[emkll]

I can reproduce this error in an upgrade testing scenario, cron-apt upgrade from 1.6.0 to 1.7.0-rc1, (zh_Hans & zh_Hant not enabled)

[emkll]

The error here likely due to apparmor rules in recently refactored code:

Jan 14 15:09:48 app-prod kernel: [ 1152.117568] audit: type=1400 audit(1610636988.284:30): apparmor="DENIED" operation="open" profile="/usr/sbin/apache2" name="/var/www/securedrop/passphrases.py" pid=11575 comm="apache2" requested_mask="r" denied_mask="r" fsuid=33 ouid=33

[conorsch]

Reopening simply to track backport to release branch.

[conorsch]

Backport was already open in #5706, that's now reviewed and merged.

It's worth mentioning that the ./securedrop-admin verify checks inside Tails did catch the AppArmor violation, but only after I ran through the relevant test plan components. So we may want to move the verify step down, chronologically, in the test plan, to maximize what it can catch.

[kushaldas]

I noticed the similar apparmor error on source name generation too.