Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explicitly declare onion services as v2 for existing installs #4092

Merged
merged 2 commits into from
Feb 4, 2019
Merged

Explicitly declare onion services as v2 for existing installs #4092

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
35c4185
Declare onion services as v2 for existing installs
emkll Jan 30, 2019
17a8fa3
Adds config tests for v2 services in torrc
Feb 1, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions install_files/securedrop-config/DEBIAN/postinst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,16 @@ allow_apt_user_in_iptables() {
"$rules_v4"
fi
}
# Tor 0.3.5.x series now defaults to v3 onion URLs, but SecureDrop currently
# uses v2 onion URLs. We must explictly set this definition in torrc to avoid
# breakage when upgrading from Tor 0.3.4.x to 0.3.5.x.
set_v2_hidserv_in_torrc() {
if [ -f /etc/tor/torrc ]; then
if ! grep -q HiddenServiceVersion /etc/tor/torrc ; then
perl -pi -e 's/^(HiddenServiceDir.*)$/$1\nHiddenServiceVersion 2/' /etc/tor/torrc
fi
fi
}

case "$1" in
configure)
Expand All @@ -61,6 +71,7 @@ case "$1" in
fi

allow_apt_user_in_iptables
set_v2_hidserv_in_torrc
;;

abort-upgrade|abort-remove|abort-deconfigure)
Expand Down
14 changes: 12 additions & 2 deletions molecule/testinfra/staging/app/test_tor_hidden_services.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ def test_tor_service_hostnames(File, Sudo, tor_service):


@pytest.mark.parametrize('tor_service', sdvars.tor_services)
def test_tor_services_config(File, tor_service):
def test_tor_services_config(host, tor_service):
"""
Ensure torrc file contains relevant lines for Hidden Service declarations.
All hidden services must include:
Expand All @@ -68,7 +68,7 @@ def test_tor_services_config(File, tor_service):

Check for each as appropriate.
"""
f = File("/etc/tor/torrc")
f = host.file("/etc/tor/torrc")
dir_regex = "HiddenServiceDir /var/lib/tor/services/{}".format(
tor_service['name'])
# We need at least one port, but it may be used for both config values.
Expand All @@ -80,13 +80,23 @@ def test_tor_services_config(File, tor_service):
except IndexError:
local_port = remote_port

# Ensure that service is hardcoded to v2, for compatibility
# with newer versions of Tor, which default to v3.
version_string = "HiddenServiceVersion 2"

port_regex = "HiddenServicePort {} 127.0.0.1:{}".format(
remote_port, local_port)

assert f.contains("^{}$".format(dir_regex))
assert f.contains("^{}$".format(port_regex))

service_regex = "\n".join([dir_regex, version_string, port_regex])

if tor_service['authenticated']:
auth_regex = "HiddenServiceAuthorizeClient stealth {}".format(
tor_service['client'])
assert f.contains("^{}$".format(auth_regex))
service_regex += "\n{}".format(auth_regex)

# Check for block in file, to ensure declaration order
assert service_regex in f.content_string