Add HTTPS-related variables to securedrop-admin sdconfig prompt #3366
Conversation
Useful for debugging. Haven't wired up a true CA yet, just trying to debug the vars propagation right now. These vars seem "good enough" to me. (cherry picked from commit 017e28bd9f5771061e2727393affaff7a33ad574)
These files contain only the string "TEST FILE ONLY"
Unfortunately the defaults cannot be used due to producing an annoying user experience - users not using HTTPS would need to backspace out the default values.
Codecov Report
@@ Coverage Diff @@
## develop #3366 +/- ##
========================================
Coverage 85.81% 85.81%
========================================
Files 34 34
Lines 2157 2157
Branches 238 238
========================================
Hits 1851 1851
Misses 250 250
Partials 56 56Continue to review full report at Codecov.
|
| @@ -138,6 +138,11 @@ libvirt-share: ## Configure ACLs to allow RWX for libvirt VM (e.g. Admin Worksta | |||
| @find "$(PWD)" -type d -and -user $$USER -exec setfacl -m u:libvirt-qemu:rwx {} + | |||
| @find "$(PWD)" -type f -and -user $$USER -exec setfacl -m u:libvirt-qemu:rw {} + | |||
|
|
|||
| .PHONY: self-signed-https-certs | |||
There was a problem hiding this comment.
It seems like make is not bought in as a dependency when doing ./securedrop-admin setup
Since this functionality isn't documented for end users and will likely only be used for dev/ci, I think this is acceptable.
There was a problem hiding this comment.
Yep, just for dev/ci, and this is good as it will discourage admins from going off script and using these Makefile targets
| keyfile_dest_dir="install_files/ansible-base" | ||
|
|
||
| function generate-test-https-certs { | ||
| openssl genrsa -out "${keyfile_dest_dir}/${keyfile_basename}.key" 2048 |
There was a problem hiding this comment.
Are we using 2048 for performance reasons? Would it make sense to state that this functionality should not be used in a production context?
There was a problem hiding this comment.
Good call I'll make this 4096 and also state not to use this in production
And add .ca file to gitignore
[0.7.0] Backports PR #3366
Status
Ready for review
Description of Changes
Fixes #3299 and adds a Makefile target for generating self-signed certs that @conorsch made the other day. Note that I decided to fix the bug in a minimal way - given that the release is on Tuesday, I decided the most conservative method to resolve the bug was the best approach.
Testing
Currently testing in staging VMs (this is also #3297)
Deployment
This is implemented in such a way as to not clobber existing HTTPS variables - in case users have manually edited
site-specificdue to the underlying bug here.Checklist
If you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made changes to documentation:
make docs-lint) passed locally