diff --git a/.circleci/config.yml b/.circleci/config.yml index 8c9b3c890a..61d2ebb312 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -100,7 +100,7 @@ jobs: enabled: true environment: DOCKER_API_VERSION: 1.23 - BASE_OS: xenial + BASE_OS: focal steps: - checkout - *rebaseontarget @@ -115,8 +115,8 @@ jobs: - run: name: Run all linters but shellcheck command: | - fromtag=$(docker images |grep securedrop-test-xenial-py3 |head -n1 |awk '{print $2}') - DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-xenial-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "/opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/develop-requirements.txt && make -C .. ansible-config-lint app-lint flake8 html-lint typelint yamllint" + fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}') + DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell bash -c "/opt/venvs/securedrop-app-code/bin/pip3 install --require-hashes -r requirements/python3/develop-requirements.txt && make -C .. ansible-config-lint app-lint flake8 html-lint typelint yamllint" - run: name: Run shellcheck diff --git a/admin/requirements-dev.in b/admin/requirements-dev.in index 3f20244ca9..d64eebb7a4 100644 --- a/admin/requirements-dev.in +++ b/admin/requirements-dev.in @@ -6,7 +6,7 @@ mock pbr pip==19.3.1 pip-tools==4.5.1 -pylint==2.5.0 +pylint>=2.7.0; python_version > '3.6' pytest==3.2.0 requests>=2.22.0 tox diff --git a/admin/requirements-dev.txt b/admin/requirements-dev.txt index 4278f8b08f..e48d699378 100644 --- a/admin/requirements-dev.txt +++ b/admin/requirements-dev.txt @@ -4,9 +4,9 @@ # # pip-compile --allow-unsafe --generate-hashes --output-file=requirements-dev.txt requirements-dev.in # -astroid==2.4.2 \ - --hash=sha256:2f4078c2a41bf377eea06d71c9d2ba4eb8f6b1af2135bec27bbbb7d8f12bb703 \ - --hash=sha256:bc58d83eb610252fd8de6363e39d4f1d0619c894b0ed24603b881c02e64c7386 \ +astroid==2.5.2 \ + --hash=sha256:6b0ed1af831570e500e2437625979eaa3b36011f66ddfc4ce930128610258ca9 \ + --hash=sha256:cd80bf957c49765dce6d92c43163ff9d2abc43132ce64d4b1b47717c6d2522df \ # via pylint certifi==2018.4.16 \ --hash=sha256:13e698f54293db9f89122b0581843a782ad0934a4fe0172d2a980ba77fc61bb7 \ @@ -137,9 +137,9 @@ pyflakes==1.6.0 \ --hash=sha256:08bd6a50edf8cffa9fa09a463063c425ecaaf10d1eb0335a7e8b1401aef89e6f \ --hash=sha256:8d616a382f243dbf19b54743f280b80198be0bca3a5396f1d2e1fca6223e8805 \ # via flake8 -pylint==2.5.0 \ - --hash=sha256:588e114e3f9a1630428c35b7dd1c82c1c93e1b0e78ee312ae4724c5e1a1e0245 \ - --hash=sha256:bd556ba95a4cf55a1fc0004c00cf4560b1e70598a54a74c6904d933c8f3bd5a8 \ +pylint==2.7.4 ; python_version > "3.6" \ + --hash=sha256:209d712ec870a0182df034ae19f347e725c1e615b2269519ab58a35b3fcbbe7a \ + --hash=sha256:bd38914c7731cdc518634a8d3c5585951302b6e2b6de60fbb3f7a0220e21eeee \ # via -r requirements-dev.in pytest-catchlog==1.2.2 \ --hash=sha256:4be15dc5ac1750f83960897f591453040dff044b5966fe24a91c2f7d04ecfcf0 \ @@ -156,7 +156,7 @@ requests==2.22.0 \ six==1.15.0 \ --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \ --hash=sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced \ - # via astroid, mock, pip-tools, tox + # via mock, pip-tools, tox toml==0.10.1 \ --hash=sha256:926b612be1e5ce0634a2ca03470f95169cf16f939018233a670519cb4ac58b0f \ --hash=sha256:bda89d5935c2eac546d648028b9901107a595863cb36bae0c73ac804a9b4ce88 \ diff --git a/admin/requirements-testinfra.txt b/admin/requirements-testinfra.txt index 99f529b7db..88316d792c 100644 --- a/admin/requirements-testinfra.txt +++ b/admin/requirements-testinfra.txt @@ -202,18 +202,36 @@ pytest==6.1.1 \ --hash=sha256:7a8190790c17d79a11f847fba0b004ee9a8122582ebff4729a082c109e81a4c9 \ --hash=sha256:8f593023c1a0f916110285b6efd7f99db07d59546e3d8c36fc60e2ab05d3be92 \ # via -r requirements-testinfra.in, pytest-forked, pytest-xdist, testinfra -pyyaml==5.3.1 \ - --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \ - --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \ - --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \ - --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \ - --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \ - --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \ - --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \ - --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \ - --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \ - --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \ - --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \ +pyyaml==5.4.1 ; python_version > "3.6" \ + --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \ + --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \ + --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \ + --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \ + --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \ + --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \ + --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \ + --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \ + --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \ + --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \ + --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \ + --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \ + --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \ + --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \ + --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \ + --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \ + --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \ + --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \ + --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \ + --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \ + --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \ + --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \ + --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \ + --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \ + --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \ + --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \ + --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \ + --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \ + --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 \ # via -r requirements.in, ansible six==1.15.0 \ --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \ diff --git a/admin/requirements.in b/admin/requirements.in index 97f07f22d9..12257f5082 100644 --- a/admin/requirements.in +++ b/admin/requirements.in @@ -1,5 +1,5 @@ markupsafe>=1.1 prompt_toolkit==2.0.9 -pyyaml>=5.3.1 +pyyaml>=5.4.1; python_version > '3.6' setuptools>=46.0.0 six==1.15.0 diff --git a/admin/requirements.txt b/admin/requirements.txt index 97d47ebbe8..4cdc41f107 100644 --- a/admin/requirements.txt +++ b/admin/requirements.txt @@ -111,18 +111,36 @@ prompt_toolkit==2.0.9 \ pycparser==2.18 \ --hash=sha256:99a8ca03e29851d96616ad0404b4aad7d9ee16f25c9f9708a11faf2810f7b226 \ # via cffi -pyyaml==5.3.1 \ - --hash=sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97 \ - --hash=sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76 \ - --hash=sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2 \ - --hash=sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648 \ - --hash=sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf \ - --hash=sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f \ - --hash=sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2 \ - --hash=sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee \ - --hash=sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d \ - --hash=sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c \ - --hash=sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a \ +pyyaml==5.4.1 ; python_version > "3.6" \ + --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \ + --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \ + --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \ + --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \ + --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \ + --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \ + --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \ + --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \ + --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \ + --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \ + --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \ + --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \ + --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \ + --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \ + --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \ + --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \ + --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \ + --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \ + --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \ + --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \ + --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \ + --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \ + --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \ + --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \ + --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \ + --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \ + --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \ + --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \ + --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0 \ # via -r requirements.in, ansible six==1.15.0 \ --hash=sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259 \ diff --git a/changelog.md b/changelog.md index a698f63c38..294eab23cc 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,14 @@ # Changelog +## 1.8.1~rc1 + +* Install a fixed version of setuptools-scm before building packages (#5877) +* Update pylint from 2.5.0 to 2.7.4, pyyaml from 5.3.1 to 5.4.1 (#5884) +* Suppress OSSEC alert caused by fwupd not being active (#5882) +* Exclude SSH onion service config from restores (#5886) +* Add support for custom logos in backups (#5880) +* Add check for SecureBoot status in installer (#5879) + ## 1.8.0 ### Web applications diff --git a/install_files/ansible-base/group_vars/all/securedrop b/install_files/ansible-base/group_vars/all/securedrop index 3b8149db40..fb6a186430 100644 --- a/install_files/ansible-base/group_vars/all/securedrop +++ b/install_files/ansible-base/group_vars/all/securedrop @@ -2,7 +2,7 @@ # Variables that apply to both the app and monitor server go in this file # If the monitor or app server need different values define the variable in # hosts_vars/app.yml or host_vars/mon.yml -securedrop_version: "1.8.0" +securedrop_version: "1.8.1~rc1" securedrop_app_code_sdist_name: "securedrop-app-code-{{ securedrop_version | replace('~', '-') }}.tar.gz" grsecurity: true diff --git a/install_files/ansible-base/roles/backup/files/backup.py b/install_files/ansible-base/roles/backup/files/backup.py index cb25a3f3d2..9df91697b7 100755 --- a/install_files/ansible-base/roles/backup/files/backup.py +++ b/install_files/ansible-base/roles/backup/files/backup.py @@ -1,8 +1,11 @@ #!/opt/venvs/securedrop-app-code/bin/python """ -This script is copied to the App server and run by the Ansible playbook. When -run (as root), it collects all of the necessary information to backup the 0.3 -system and stores it in /tmp/sd-backup-0.3-TIME_STAMP.tar.gz. +This script is copied to the App server (to /tmp) and run by the Ansible playbook, +typically via `securedrop-admin`. + +The backup file in the format sd-backup-$TIMESTAMP.tar.gz is then copied to the +Admin Workstation by the playbook, and removed on the server. For further +information and limitations, see https://docs.securedrop.org/en/stable/backup_and_restore.html """ from datetime import datetime @@ -19,14 +22,17 @@ def main(): sd_code = '/var/www/securedrop' sd_config = os.path.join(sd_code, "config.py") - sd_custom_logo = os.path.join(sd_code, "static/i/logo.png") + sd_custom_logo = os.path.join(sd_code, "static/i/custom_logo.png") tor_hidden_services = "/var/lib/tor/services" torrc = "/etc/tor/torrc" with tarfile.open(backup_filename, 'w:gz') as backup: backup.add(sd_config) - backup.add(sd_custom_logo) + + # If no custom logo has been configured, the file will not exist + if os.path.exists(sd_custom_logo): + backup.add(sd_custom_logo) backup.add(sd_data) backup.add(tor_hidden_services) backup.add(torrc) diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal index f3189756f1..868559e2fa 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-focal @@ -1,3 +1,9 @@ +securedrop-app-code (1.8.1~rc1+focal) focal; urgency=medium + + * See changelog.md + + -- SecureDrop Team Wed, 07 Apr 2021 11:48:22 -0400 + securedrop-app-code (1.8.0+focal) focal; urgency=medium * see changelog.md diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial index a5a7f5292c..382a2a986a 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/changelog-xenial @@ -1,3 +1,9 @@ +securedrop-app-code (1.8.1~rc1+xenial) xenial; urgency=medium + + * See changelog.md + + -- SecureDrop Team Wed, 07 Apr 2021 11:47:42 -0400 + securedrop-app-code (1.8.0+xenial) xenial; urgency=medium * See changelog.md diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml index d01a75cf79..e72fb741af 100644 --- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml +++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/translations.yml @@ -1,8 +1,10 @@ --- - name: Install SecureDrop Python requirements in virtualenv for translation work - shell: | - python3 -m venv /tmp/securedrop-app-code-i18n-ve + shell: > + set -e && + python3 -m venv /tmp/securedrop-app-code-i18n-ve && + /tmp/securedrop-app-code-i18n-ve/bin/pip3 install "setuptools-scm==5.0.2" && /tmp/securedrop-app-code-i18n-ve/bin/pip3 install --no-deps --no-binary :all: --require-hashes -r {{ securedrop_app_code_prep_dir }}/requirements.txt tags: - pip diff --git a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml index d9a765611a..e693ae3c4c 100644 --- a/install_files/ansible-base/roles/prepare-servers/tasks/main.yml +++ b/install_files/ansible-base/roles/prepare-servers/tasks/main.yml @@ -22,10 +22,26 @@ https://github.com/freedomofpress/securedrop/issues/4058 - name: Install python and packages required by installer - raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core + raw: apt install -y python3 apt-transport-https dnsutils ubuntu-release-upgrader-core mokutil register: _apt_install_prereqs_results changed_when: "'0 upgraded, 0 newly installed, 0 to remove' not in _apt_install_prereqs_results.stdout" +- name: Check SecureBoot status + command: mokutil --sb-state + changed_when: false + failed_when: false # results inspected below + register: _mokutil_results + +- name: Verify that SecureBoot is not enabled + assert: + that: + - "'SecureBoot enabled' not in _mokutil_results.stdout" + - "'SecureBoot enabled' not in _mokutil_results.stderr" + fail_msg: >- + SecureBoot is enabled. SecureDrop cannot be installed, as it uses a + custom kernel that is not signed. Please disable SecureBoot on the + target servers and try again. + - name: Remove cloud-init apt: name: cloud-init diff --git a/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml new file mode 100644 index 0000000000..cd90f5d0e2 --- /dev/null +++ b/install_files/ansible-base/roles/restore/tasks/cleanup_v2.yml @@ -0,0 +1,40 @@ +--- +- name: Copy disable_v2.py script + copy: + src: "{{ role_path }}/files/disable_v2.py" + dest: /opt/disable_v2.py + when: ("V3 services only" in compare_result.stdout) + +- name: Execute disable_v2 script + command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc + when: ("V3 services only" in compare_result.stdout) + +- name: Remove v2 tor source directory + file: + state: absent + path: /var/lib/tor/services/source + when: ("V3 services only" in compare_result.stdout) + +- name: Remove v2 tor journalist directory + file: + state: absent + path: /var/lib/tor/services/journalist + when: ("V3 services only" in compare_result.stdout) + +- name: Remove v2 tor ssh directory + file: + state: absent + path: /var/lib/tor/services/ssh + when: ("V3 services only" in compare_result.stdout) + +- name: Remove v2 source_url application file + file: + state: absent + path: /var/lib/securedrop/source_v2_url + when: ("V3 services only" in compare_result.stdout) + +- name: Remove disable_v2.py script + file: + state: absent + path: /opt/disable_v2.py + when: ("V3 services only" in compare_result.stdout) diff --git a/install_files/ansible-base/roles/restore/tasks/main.yml b/install_files/ansible-base/roles/restore/tasks/main.yml index 3cd847b6de..a6e3eb89fe 100644 --- a/install_files/ansible-base/roles/restore/tasks/main.yml +++ b/install_files/ansible-base/roles/restore/tasks/main.yml @@ -1,159 +1,11 @@ --- -- name: Create temporary directory for Tor configuration check - connection: local - become: no - tempfile: - state: directory - register: torrc_check_dir +- name: Apply backup to Application Server + include: perform_restore.yml -- name: Fetch current Tor configuration from app server - become: no - fetch: - src: /etc/tor/torrc - dest: "{{ torrc_check_dir.path }}" - -- name: Create directory to hold the Tor configuration from the backup - connection: local - become: no - file: - path: "{{ torrc_check_dir.path }}/backup" - state: directory - -- name: Extract Tor configuration from backup - connection: local - become: no - unarchive: - dest: "{{ torrc_check_dir.path }}/backup/" - src: "{{ restore_file }}" - extra_opts: - - "etc/tor/torrc" - -- name: Check for Tor configuration differences between the backup and server - connection: local - become: no - command: "python {{ role_path }}/files/compare_torrc.py {{ torrc_check_dir.path }}" - ignore_errors: yes - register: compare_result - -- name: Remove temporary directory for Tor configuration check - connection: local - become: no - file: - path: "{{ torrc_check_dir.path }}" - state: absent - when: torrc_check_dir.path is defined - -- name: Verify that the backup Tor config is compatible with the server Tor config - assert: - that: - - "'Valid configuration' in compare_result.stdout" - fail_msg: - - "This backup's tor configuration cannot be applied on this server." - - "A data-only restore can be applied using the --preserve-tor-config argument" - - "More info: {{ compare_result.stdout }}" +- name: Remove deprecated v2 onion service configuration + include: cleanup_v2.yml when: not restore_skip_tor -- name: Copy backup to application server - synchronize: - src: "{{ restore_file }}" - dest: /tmp/{{ restore_file }} - partial: yes - -- name: Extract backup - unarchive: - dest: / - remote_src: yes - src: "/tmp/{{ restore_file}}" - when: (not restore_skip_tor) and - ("V3 services only" not in compare_result.stdout) - -- name: Extract backup, using v3 services only - unarchive: - dest: / - remote_src: yes - src: "/tmp/{{ restore_file}}" - exclude: "var/lib/tor/services/source,var/lib/tor/services/journalist,var/lib/tor/services/ssh" - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Extract backup, skipping tor service configuration - unarchive: - dest: / - remote_src: yes - src: "/tmp/{{ restore_file}}" - exclude: "var/lib/tor,etc/tor/torrc" - when: restore_skip_tor - -- name: Reconfigure securedrop-app-code - command: dpkg-reconfigure securedrop-app-code - -- name: Reconfigure securedrop-config - command: dpkg-reconfigure securedrop-config - -- name: Reload Apache service - service: - name: apache2 - state: reloaded - -- name: Copy disable_v2.py script - copy: - src: "{{ role_path }}/files/disable_v2.py" - dest: /opt/disable_v2.py - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Execute disable_v2 script - command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Remove v2 tor source directory - file: - state: absent - path: /var/lib/tor/services/source - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Remove v2 tor journalist directory - file: - state: absent - path: /var/lib/tor/services/journalist - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Remove v2 tor ssh directory - file: - state: absent - path: /var/lib/tor/services/ssh - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Remove v2 source_url application file - file: - state: absent - path: /var/lib/securedrop/source_v2_url - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Remove disable_v2.py script - file: - state: absent - path: /opt/disable_v2.py - when: (not restore_skip_tor) and - ("V3 services only" in compare_result.stdout) - -- name: Reload Tor service - service: - name: tor - state: reloaded - async: 60 - poll: 0 - register: tor_reload_job - -- name: Wait for Tor reload - async_status: - jid: "{{ tor_reload_job.ansible_job_id }}" - register: tor_reload - until: tor_reload.finished - retries: 6 - delay: 10 +- name: Restart Tor + include: update_tor.yml + when: not restore_skip_tor diff --git a/install_files/ansible-base/roles/restore/tasks/perform_restore.yml b/install_files/ansible-base/roles/restore/tasks/perform_restore.yml new file mode 100644 index 0000000000..2da23dca7d --- /dev/null +++ b/install_files/ansible-base/roles/restore/tasks/perform_restore.yml @@ -0,0 +1,102 @@ +--- +- name: Create temporary directory for Tor configuration check + connection: local + become: no + tempfile: + state: directory + register: torrc_check_dir + +- name: Fetch current Tor configuration from app server + become: no + fetch: + src: /etc/tor/torrc + dest: "{{ torrc_check_dir.path }}" + +- name: Create directory to hold the Tor configuration from the backup + connection: local + become: no + file: + path: "{{ torrc_check_dir.path }}/backup" + state: directory + +- name: Extract Tor configuration from backup + connection: local + become: no + unarchive: + dest: "{{ torrc_check_dir.path }}/backup/" + src: "{{ restore_file }}" + extra_opts: + - "etc/tor/torrc" + +- name: Check for Tor configuration differences between the backup and server + connection: local + become: no + command: "python {{ role_path }}/files/compare_torrc.py {{ torrc_check_dir.path }}" + ignore_errors: yes + register: compare_result + +- name: Remove temporary directory for Tor configuration check + connection: local + become: no + file: + path: "{{ torrc_check_dir.path }}" + state: absent + when: torrc_check_dir.path is defined + +- name: Verify that the backup Tor config is compatible with the server Tor config + assert: + that: + - "'Valid configuration' in compare_result.stdout" + fail_msg: + - "This backup's tor configuration cannot be applied on this server." + - "A data-only restore can be applied using the --preserve-tor-config argument" + - "More info: {{ compare_result.stdout }}" + when: not restore_skip_tor + +- name: Copy backup to application server + synchronize: + src: "{{ restore_file }}" + dest: /tmp/{{ restore_file }} + partial: yes + +- name: Extract backup + unarchive: + dest: / + remote_src: yes + src: "/tmp/{{ restore_file}}" + exclude: + - "var/lib/tor/services/ssh" + - "var/lib/tor/services/sshv3" + when: (not restore_skip_tor) and + ("V3 services only" not in compare_result.stdout) + +- name: Extract backup, using v3 services only + unarchive: + dest: / + remote_src: yes + src: "/tmp/{{ restore_file}}" + exclude: + - "var/lib/tor/services/source,var/lib/tor/services/journalist" + - "var/lib/tor/services/ssh" + - "var/lib/tor/services/sshv3" + when: (not restore_skip_tor) and + ("V3 services only" in compare_result.stdout) + +- name: Extract backup, skipping tor service configuration + unarchive: + dest: / + remote_src: yes + src: "/tmp/{{ restore_file}}" + exclude: "var/lib/tor,etc/tor/torrc" + when: restore_skip_tor + +- name: Reconfigure securedrop-app-code + command: dpkg-reconfigure securedrop-app-code + +- name: Reconfigure securedrop-config + command: dpkg-reconfigure securedrop-config + +- name: Reload Apache service + service: + name: apache2 + state: reloaded diff --git a/install_files/ansible-base/roles/restore/tasks/update_tor.yml b/install_files/ansible-base/roles/restore/tasks/update_tor.yml new file mode 100644 index 0000000000..9d24c23363 --- /dev/null +++ b/install_files/ansible-base/roles/restore/tasks/update_tor.yml @@ -0,0 +1,16 @@ +--- +- name: Reload Tor service + service: + name: tor + state: reloaded + async: 60 + poll: 0 + register: tor_reload_job + +- name: Wait for Tor reload + async_status: + jid: "{{ tor_reload_job.ansible_job_id }}" + register: tor_reload + until: tor_reload.finished + retries: 6 + delay: 10 diff --git a/install_files/securedrop-app-code/debian/rules b/install_files/securedrop-app-code/debian/rules index a9cc6b77a7..8079dd9d64 100755 --- a/install_files/securedrop-app-code/debian/rules +++ b/install_files/securedrop-app-code/debian/rules @@ -28,6 +28,7 @@ override_dh_virtualenv: dh_virtualenv \ --python=/usr/bin/python3 \ --builtin-venv \ + --preinstall setuptools-scm==5.0.2 \ --extra-pip-arg "--verbose" \ --extra-pip-arg "--no-deps" \ --extra-pip-arg "--no-binary=:all:" \ diff --git a/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml b/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml index 50445d873e..63c4e3b707 100644 --- a/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml +++ b/install_files/securedrop-ossec-server/var/ossec/etc/local_decoder.xml @@ -47,3 +47,10 @@ dhclient + + + + fwupd + diff --git a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml b/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml index eb3f5d4cb8..26eeab6958 100644 --- a/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml +++ b/install_files/securedrop-ossec-server/var/ossec/rules/local_rules.xml @@ -73,6 +73,25 @@ + + + + + fwupd + Error opening directory + fwupd error + no_email_alert + + + fwupd + Failed to load SMBIOS + fwupd error for auto updates + no_email_alert + + +