Fixes #4521 download journalist key via source interface

[kushaldas]

Status

Ready for review.

Description of Changes

Fixes #4521

We need different code for Python2 and Python3 to download
journalist key via the source interface. This also adds a functional
test for the same.

Testing

• make test

Deployment

Any special considerations for deployment? Consider both:

1. Upgrading existing production instances.
2. New installs.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make -C securedrop test) pass in the development container

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

If you made changes to documentation:

• Doc linting (make docs-lint) passed locally

[emkll]

Thanks @kushaldas the fix looks good to me. Functional testing performed as follows:

Testing in dev container

While it does, hitting the journalist-key endpoint does return an error and an empty journalist-key.asc file:

172.17.0.1 - - [14/Jun/2019 15:27:37] "GET /journalist-key HTTP/1.1" 200 -
Error on request:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/werkzeug/serving.py", line 270, in run_wsgi
    execute(self.server.app)
  File "/usr/local/lib/python2.7/dist-packages/werkzeug/serving.py", line 261, in execute
    write(data)
  File "/usr/local/lib/python2.7/dist-packages/werkzeug/serving.py", line 241, in write
    assert isinstance(data, bytes), 'applications must write bytes'
AssertionError: applications must write bytes

• I no longer observe the error on this branch

Upgrade testing

On this branch:

• make build-debs
• make upgrade-start

• 0.13.0 box is pulled down, journalist-key endpoint 404's

• make upgrade-test local

• Observe string change and journalist-key endpoint is now working, key is served with no error

[emkll]

👍 this should properly assess success/failure: journalist key served was an empty file

[zenmonkeykstop]

@emkll - do you mean you got an empty file testing this PR, or 0.13.0 returns an empty file for you? I was seeing a 404 on 0.13.0.

[emkll]

Sorry for the confusion:

• In dev env, was getting an empty key (and an error in the logs)
• In staging VMs, was getting 404

[zenmonkeykstop]

Tested as follows:

• checked out branch, ran make test - completed with all tests passing
• ran make build-debs, started a (Qubes) staging env:
  • verified that submission key is returned when clicking link on /lookup
  • verified the /journalist-key returns submission key when called directly, not logged in as a source
  • verified that the returned key is a valid GPG key and that the fingerprint matches that returned by /metadata

[redshiftzero]

the corresponding unit test in tests/test_source.py::test_lookup did not fail because the assert causing the failure (assert isinstance(data, bytes), 'applications must write bytes' ) from werkzeug/serving.py does not occur in test since the dev server is not running: this underscores the importance of having full functional test coverage of all endpoints

[emkll]

Thanks @redshiftzero for the investigation into why the unit test has failed us (#4523 (comment)) and for opening #4526 to improve integration testing to avoid regressions like these in the future.

Merging based on the 2 approving reviews above.