daily email alert to journalists about submissions received in the past 24h #2803
Conversation
ghost
added
ghost
requested review from
conorsch,
heartsucker,
msheiny and
redshiftzero
as code owners
ghost
force-pushed
the
wip-dachary-1195-journalist-notification
branch
3 times, most recently
from
7b9ca5a to
9d32171
Compare
ghost
force-pushed
the
wip-dachary-1195-journalist-notification
branch
7 times, most recently
from
c3a8a82 to
9e948cf
Compare
ghost
force-pushed
the
wip-dachary-1195-journalist-notification
branch
from
9e948cf to
f6f5a50
Compare
|
@emkll this is the reason why |
ghost
force-pushed
the
wip-dachary-1195-journalist-notification
branch
4 times, most recently
from
09b3a34 to
1565f63
Compare
|
Not sure this error comes from this PR, restarting https://circleci.com/gh/freedomofpress/securedrop/7409?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link RUNNING HANDLER [tor-hidden-services : restart tor (simple)] *******************
Sunday 28 January 2018 00:00:10 +0000 (0:00:00.071) 0:05:17.882 ********
changed: [mon-staging]
fatal: [app-staging]: FAILED! => {"changed": false, "msg": " * Stopping tor daemon...\n ...done.\n * Starting tor daemon...\n ...fail!\n"}
|
ghost
force-pushed
the
wip-dachary-1195-journalist-notification
branch
2 times, most recently
from
2eb3e36 to
081fc84
Compare
Codecov Report
@@ Coverage Diff @@
## develop #2803 +/- ##
===========================================
- Coverage 86.38% 84.57% -1.82%
===========================================
Files 34 34
Lines 2122 2048 -74
Branches 233 222 -11
===========================================
- Hits 1833 1732 -101
- Misses 234 261 +27
Partials 55 55
Continue to review full report at Codecov.
|
ghost
force-pushed
the
wip-dachary-1195-journalist-notification
branch
3 times, most recently
from
66f6791 to
330820f
Compare
ghost
force-pushed
the
wip-dachary-1195-journalist-notification
branch
from
4020536 to
0713b76
Compare
|
repushed with a clarification in the documentation, as suggested by @redshiftzero, thanks to @conorsch reminder! |
|
Update: haven't received any messages yet. OSSEC admin alerts are flowing fine, but nothing on the journalist address. Will leave the VMs running and see if I can't catch one. If not, I'll log in and poke and try to identify further manual action that was required to make the setup work as expected. |
Could you please try to submit one document today? And tomorrow morning, if you did not receive any e-mail, could you, on the app server: ls -l /var/lib/securedrop/submissions_today.txt cat /var/lib/securedrop/submissions_today.txt If that file exists and contains a number different from zero, it will help me figure out what's not working as expected. If you receive an email tomorrow, it probably means there is a corner case when bootstraping the system. I assume you're running this test on prod vms started with Thanks a lot for your patience on this one: it's really good we get a chance to diagnose the problem now :-) |
|
@dachary The problem was indeed that It occurs to me that perhaps a slightly more frequent cron schedule would help to keep the "submissions today" logic accurate. That's a nit, though. This is definitely a huge step up in terms of actionable information for journalists using the system. |
We can wait another 24h, it really is valuable to be in a realistic scenario, thanks again for your patience doing this. |
|
My previous attempt at testing was misguided: I used prod VMs, mostly to validate the Tails workflow on setting up the new vars, but failed to install the locally built debs. Retried in staging with overridden vars (similar to what @redshiftzero described in #2803 (comment)) and can confirm working messages: Overall the Admin-facing workflow is impressively smooth. Because the new functionality is disabled by default, I'm comfortable with this going out as-is. Noticed some extremely small typos that could be cleaned up, will comment in-line. |
There was a problem hiding this comment.
Requesting minor typographical changes to the docs and comments throughout. Functionally this works as advertised, and is surprisingly convenient for an Admin to configure (if their journalists are amenable to GPG usage).
Happy to address the docs nits myself, and push up here, @dachary. Thanks for your patience during the extremely long review cycle.
@redshiftzero I believe your comments have been addressed here, but the compression algo question stand out to me as warranting a 👍 for you that it's not a problem anymore. I didn't encounter any issues with it.
| echo "journalist alert email unset, no notification sent" | ||
| return | ||
| fi | ||
| compression="--compress-algo none" |
There was a problem hiding this comment.
I didn't encounter this problem; @redshiftzero do you still recommend the change here?
securedrop/manage.py
Outdated
| parser = subps.add_parser( | ||
| 'were-there-submissions-today', | ||
| help=('Update the file indicating ' | ||
| 'iff submissions were received in the past 24h')) |
docs/install.rst
Outdated
| @@ -60,6 +60,21 @@ continuing: | |||
| can add more later) | |||
| - The username of the system admin | |||
|
|
|||
| You can also, optionally, configure a :doc:`daily notifications | |||
| <journalist>` about whether or not submission activity occurred in the | |||
There was a problem hiding this comment.
Nit: remove "a " in "a daily notifications".
Caught during review, didn't want to trouble @dachary by requesting changes.
|
The lint CI job is consistently failing due to taking too long (build here), this is a new one... |
|
Ok waited a while, restarted and now the lint job is passing 🙃. Going to chalk this one up to fluctuations in the Circle CI force |
|
TIL about CircleCI workflows: to restart failed jobs that are dependencies for other jobs: one must do this or the subsequent jobs will not run |
Status
Ready for Review
Description of Changes
Fixes #1195
A cron job runs daily on the app server and updates the
file which contains the number of submissions sent in the past 24h, as
created by the manage.py how_many_submissions_today command.
The OSSEC agent on the app server runs a command daily, displaying
the content of /var/lib/securedrop/submissions_today.txt. The output
of the command is sent to the OSSEC server.
A new rule is defined on the OSSEC server to send a mail to when the
output is received from the OSSEC agent running on the app server.
A new procmail rule is definied on the OSSEC server to catch mails
encrypt mails containing the /var/lib/securedrop/submissions_today.txt
string and send them to the email defined by the
journalist_alert_email ansible variable.
A new set of (optional) ansible variables, similar to
ossec_alert_gpg_public_key, ossec_gpg_fpr, ossec_alert_email are
defined: journalist_alert_gpg_public_key, journalist_gpg_fpr,
journalist_alert_email. They are used to upload a journalist public
key to the OSSEC server and inserted into the send_encrypted_alarm.sh
script which handles mails received by procmail.
The modified send_encrypted_alarm.sh script takes one
argument (journalist or ossec) and dispatches the mail read from
stdin to the corresponding recipient.
Integration tests are implemented to verify the following:
Testing
Running Testinfra suite against 'staging'... Target roles: - testinfra/ossec ==================================================================== test session starts ===================================================================== platform linux2 -- Python 2.7.13, pytest-3.3.1, py-1.5.2, pluggy-0.6.0 -- /home/loic/software/securedrop/virtualenv/bin/python2 cachedir: .cache rootdir: /home/loic/software/securedrop/securedrop, inifile: setup.cfg plugins: testinfra-1.7.1, xdist-1.21.0, forked-0.2 collected 10 items testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_procmail[ansible://app-staging] SKIPPED [ 10%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_send_encrypted_alert[ansible://app-staging] SKIPPED [ 20%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_missing_journalist_alert[ansible://app-staging] SKIPPED [ 30%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_ossec_rule_journalist[ansible://app-staging] SKIPPED [ 40%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_journalist_mail_notification[ansible://app-staging] SKIPPED [ 50%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_procmail[ansible://mon-staging] PASSED [ 60%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_send_encrypted_alert[ansible://mon-staging] PASSED [ 70%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_missing_journalist_alert[ansible://mon-staging] PASSED [ 80%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_ossec_rule_journalist[ansible://mon-staging] PASSED [ 90%] testinfra/ossec/test_journalist_mail.py::TestJournalistMail::test_journalist_mail_notification[ansible://mon-staging] PASSED [100%] ====================================================================== warnings summary ====================================================================== None Module already imported so cannot be rewritten: testinfra -- Docs: http://doc.pytest.org/en/latest/warnings.html ===================================================== 5 passed, 5 skipped, 1 warnings in 106.35 seconds ======================================================Comments
See the forum discussion for the rationale behind the testinfra: remove some XXX tests duplicating Ansible commits.
Deployment
Checklist
If you made changes to the app code:
If you made changes to the system configuration:
If you made changes to documentation: