ansible: replace test_admin key with a valid sec/pub key

[ghost]

Status

Ready for review

Description of Changes

The test_admin_key.pub and test_admin_key.sec are both public
keys. This is fine as long as the tests do not try to decrypt
anything.

A new key is created and stored instead to allow for OSSEC tests to
decrypt mails.

Testing

• gpg --import install_files/ansible-base/roles/ossec/files/test_admin_key.pub
• gpg --import install_files/ansible-base/roles/ossec/files/test_admin_key.sec
• echo foo | gpg --trust-model always --encrypt -ear 53E1113AC1F25027BA5D475B1141E2BBB5E53711 > /tmp/e
• gpg --decrypt < /tmp/e

foo

Deployment

N/A

Checklist

If you made changes to the app code:

• Unit and functional tests pass on the development VM

[ghost]

@emkll in case you're bored today :-)

[ghost]

@redshiftzero Looks like your work on PyCrypto upgrade is right on time !

https://circleci.com/gh/freedomofpress/securedrop/7185?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link

!/bin/bash -eo pipefail
make safety

Checking file ./securedrop/requirements/test-requirements.txt
safety report
checked 22 packages, using default DB
---
No known security vulnerabilities found.


Checking file ./securedrop/requirements/admin-requirements.txt
safety report
checked 15 packages, using default DB
---
-> pycrypto, installed 2.6.1, affected <=2.6.1, id 33151
Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py. 
--
Makefile:101: recipe for target 'safety' failed
make: *** [safety] Error 1

[emkll]

Looks good, @dachary. Can confirm the private key and public key form a keypair and the fingerprint is blacklisted when validating.

To eliminate the possibility of this key being erroneously used, perhaps in the future it could be automatically generated in staging/CI with a configuration flag.

[redshiftzero]

This will need a rebase on latest develop prior to merge due to failing staging build, due to #2931, apologies

[ghost]

Transient CircleCI error https://circleci.com/gh/freedomofpress/securedrop/7256?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link

Allocating a remote Docker Engine
Got error while creating host: rpc error: code = Unknown desc = An internal error occured when provisioning resources for this job.  Provisioning Service returned status code: 503
We had an unexpected error preparing a VM for this build, potentially due to our infrastructure or cloud provider.  Please retry the build in a few minutes

[ghost]

This will need a rebase on latest develop prior to merge due to failing staging build, due to #2931, apologies

Thanks for the update :-)

[codecov-io]

Codecov Report

Merging #2925 into develop will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #2925   +/-   ##
========================================
  Coverage    85.24%   85.24%           
========================================
  Files           32       32           
  Lines         1952     1952           
  Branches       218      218           
========================================
  Hits          1664     1664           
  Misses         237      237           
  Partials        51       51

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a27c355...6f35b14. Read the comment docs.

[emkll]

👍 Still looks good, perhaps in the future we could automate the keypair generation to avoid committing secrets to GitHub :) .

[ghost]

@emkll it's kind of scary to commit private keys, indeed :-)