Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose v2/v3 Onion URLs to webapp code #4718

Merged
merged 2 commits into from
Aug 30, 2019
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions docs/development/testing_configuration_tests.rst
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,15 @@ For the staging VMs:

The VMs will be set up using either the libvirt or virtualbox Vagrant VM provider,
depending on your system settings. You'll need to use the appropriate commands below
based on your choice of provider.
based on your choice of provider.

Then, to run the tests:

libvirt:
~~~~~~~~

.. code:: sh

molecule verify -s libvirt-staging

virtualbox:
Expand All @@ -50,12 +50,15 @@ virtualbox:

molecule verify -s virtualbox-staging

.. tip:: To run only a single test, set ``PYTEST_ADDOPTS="-k name_of_test"``
in your environment.

Test failure against any host will generate a report with informative output
about the specific test that triggered the error. Molecule
will also exit with a non-zero status code.

.. note:: To build and test the VMs with one command, use the Molecule ``test``
action: ``molecule test -s libvirt-staging --destroy=never``, or ``molecule test -s virtualbox-staging --destroy=never``.
action: ``molecule test -s libvirt-staging --destroy=never``, or ``molecule test -s virtualbox-staging --destroy=never``.

Updating the Config Tests
-------------------------
Expand All @@ -75,7 +78,7 @@ than the Ansible playbooks: ::

Any variable changes in the Ansible config should have a corresponding
entry in these vars files. These vars are dynamically loaded for each
host via the ``molecule/testinfra/staging/conftest.py`` file. Make sure to add
host via the ``molecule/testinfra/staging/conftest.py`` file. Make sure to add
your tests to the relevant location for the host you plan to test: ::

molecule/testinfra/staging/app/
Expand Down Expand Up @@ -105,7 +108,7 @@ Molecule configuration: ::
├── app
├── app-code
├── common
├── mon
├── mon
├── ossec
└── vars

Expand Down
6 changes: 6 additions & 0 deletions install_files/ansible-base/roles/app/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -87,3 +87,9 @@ apache_disabled_modules:
securedrop_default_locale: en_US
# The subset of the available locales that will be proposed to the user
securedrop_supported_locales: []

# v2 Tor onion services are on / v3 Tor onion services are off by default for backwards
# compatibility. Note that new installs after 1.0 will have v3 enabled by sdconfig which
# will override these variables.
v2_onion_services: true
v3_onion_services: false
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
- name: Look up Tor v2 URL info
command: cat /var/lib/tor/services/source/hostname
changed_when: false
register: v2_onion_url_lookup_result
# File may not exist, depending on host config
failed_when: false
when: v2_onion_services

- name: Look up Tor v3 URL info
command: cat /var/lib/tor/services/sourcev3/hostname
changed_when: false
register: v3_onion_url_lookup_result
# File may not exist, depending on host config
failed_when: false
when: v3_onion_services

- name: Expose Tor v2 Onion URL info to app
copy:
dest: /var/lib/securedrop/source_v2_url
owner: www-data
group: www-data
mode: "0644"
content: |
{{ v2_onion_url_lookup_result.stdout|default('') }}
when: v2_onion_services

- name: Expose Tor v3 Onion URL info to app
copy:
dest: /var/lib/securedrop/source_v3_url
owner: www-data
group: www-data
mode: "0644"
content: |
{{ v3_onion_url_lookup_result.stdout|default('') }}
when: v3_onion_services
2 changes: 2 additions & 0 deletions install_files/ansible-base/roles/app/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@

- include: initialize_securedrop_app.yml

- include: copy_tor_url_info_to_app_dir.yml

# If HTTPS is enabled, certs must land before Apache vhost configs
# are written, otherwise the Apache enmod tasks will fail.
- include: copy_ssl_certs.yml
Expand Down
21 changes: 21 additions & 0 deletions molecule/testinfra/staging/app/test_tor_config.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import pytest
import re

testinfra_hosts = ["app-staging"]
sdvars = pytest.securedrop_test_vars
Expand Down Expand Up @@ -58,3 +59,23 @@ def test_tor_torrc_sandbox(host):
# Only `Sandbox 1` will enable, but make sure there are zero occurrances
# of "Sandbox", otherwise we may have a regression somewhere.
assert not f.contains("^.*Sandbox.*$")


def test_tor_v2_onion_url_readable_by_app(host):
v2_url_filepath = "/var/lib/securedrop/source_v2_url"
with host.sudo():
f = host.file(v2_url_filepath)
assert f.is_file
assert f.user == "www-data"
assert f.mode == 0o644
assert re.search(r"^[a-z0-9]{16}\.onion$", f.content_string)


def test_tor_v3_onion_url_readable_by_app(host):
v3_url_filepath = "/var/lib/securedrop/source_v3_url"
with host.sudo():
f = host.file(v3_url_filepath)
assert f.is_file
assert f.user == "www-data"
assert f.mode == 0o644
assert re.search(r"^[a-z0-9]{56}\.onion$", f.content_string)