Upgrade boxes for SecureDrop 1.7.1

[emkll]

Status

Ready for Review

Description of Changes

Closes #5758

Changes proposed in this pull request:

Testing

• Check out this branch
• make build-debs
• make upgrade-start (will take a while as it needs to fetch the boxes)
• source interface shows SecureDrop version 1.7.1
• make upgrade-test-local completes without error
• source interface shows SecureDrop version 1.8.0~rc1

Deployment

Dev only

[codecov-io]

Codecov Report

Merging #5763 (b26933c) into develop (3fb683a) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #5763   +/-   ##
========================================
  Coverage    85.68%   85.68%           
========================================
  Files           52       52           
  Lines         3834     3834           
  Branches       472      472           
========================================
  Hits          3285     3285           
  Misses         442      442           
  Partials       107      107           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 3fb683a...b26933c. Read the comment docs.

[conorsch]

Fetched the new boxes, saw 1.7.1 without a problem. During the make test-upgrade-local process, though, I encountered an error during the loaddata.py logic. After a bit of debugging, it's not surprising: we aren't whitelisting OpenSSL 1.0.2 in the loaddata.py script as we are in the source & journalist wsgi files. As a quick fix, I tacked on that environment variable to the invocation within the upgrade scenario, and confirmed it's working. We may want to find more locations to add that env var, but in light of the upcoming Focal migration, not sure it's worthwhile right now. For the record, here's the full error I saw:

traceback from /var/www/securedrop/loaddata.py

root@app-staging:~# /var/www/securedrop/loaddata.py
/var/www/securedrop/secure_tempfile.py:10: CryptographyDeprecationWarning: Python 3.5 support will be dropped in the next release of cryptography. Please upgrade your Python.
  from cryptography.exceptions import AlreadyFinalized
Created journalist (username=clarkkent, password=correct horse battery staple profanity oil chewy, otp_secret=JHCOGO7VCER3EJ4L, is_admin=False)
Traceback (most recent call last):
  File "/var/www/securedrop/loaddata.py", line 471, in <module>
    load(parse_arguments())
  File "/var/www/securedrop/loaddata.py", line 390, in load
    add_sources(args, journalists)
  File "/var/www/securedrop/loaddata.py", line 348, in add_sources
    submit_file(source, random.choice(journalists) if seen_file_count > 0 else None)
  File "/var/www/securedrop/loaddata.py", line 208, in submit_file
    io.BytesIO(b"This is an example of a plain text file upload."),
  File "/var/www/securedrop/store.py", line 333, in save_file_submission
    with SecureTemporaryFile("/tmp") as stf:  # nosec
  File "/var/www/securedrop/secure_tempfile.py", line 51, in __init__
    self.create_key()
  File "/var/www/securedrop/secure_tempfile.py", line 71, in create_key
    self.initialize_cipher()
  File "/var/www/securedrop/secure_tempfile.py", line 77, in initialize_cipher
    self.cipher = Cipher(AES(self.key), CTR(self.iv), default_backend())
  File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 117, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 222, in <module>
    _verify_openssl_version(Binding.lib)
  File "/opt/venvs/securedrop-app-code/lib/python3.5/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 183, in _verify_openssl_version
    "You are linking against OpenSSL 1.0.2, which is no longer "
RuntimeError: You are linking against OpenSSL 1.0.2, which is no longer supported by the OpenSSL project. To use this version of cryptography you need to upgrade to a newer version of OpenSSL. For this version only you can also set the environment variable CRYPTOGRAPHY_ALLOW_OPENSSL_102 to allow OpenSSL 1.0.2.

[conorsch]

Encountered a hiccup on first test, but patched it. Consider checking where else we need the openssl/cryptography env var. For now, this seems sufficient.