Upgrade Flask dependency to 2.0.2 and refactor applications to improve static type checks

[zenmonkeykstop]

Status

Ready for review (but test plan TK)

Description of Changes

Fixes #6154.

This PR updates the application Flask version to 2.0.2 and updates associated dependencies. It also refactors out the app.storage and app.instance_config dynamic attributes and corrects several typing errors, in order to allow for successul static typechecking via mypy.

• Dependency updates:
  • click from 6.7 to 8.0.3
  • flask-babel from 011.2 to 2.0.0
  • flask-wtf from 0.14.2 to 1.0.0
  • Flask from 1.0.2 to 2.0.2
  • itsdangerous from 0.24 to 2.0.1
  • jinja2 from 2.11.3 to 3.0.2
  • markupsafe from 1.1.1 to 2.0.1
  • redis from 3.3.6 to 3.5.3
  • rq from 1.1.0 to 1.10.0
  • werkzeug from 0.16.0 to 2.0.2

Application refactor:

• Flask app.storage attribute has been removed in favour of a global Storage object, accessed via a .get_default() class method that creates the global object if it doesn't already exist, and then returns it.
• Flask app.instance_config attribute has been removed in favour of a global InstanceConfig object, accessed similarly to Storage.
• Numerous typing fixes have been made.
• datetime variables have been updated to be timezone-aware as required by Flask 2.0.2

Test updates:

Tests have been updated to account for the refactor above. An app_storage fixture was added, returning a function-scoped Storage object. For tests which access storage directly, that fixture was added to their args and references like current_app.storage.whatever() were changed to app_storage.whatever(). For tests that access storage indirectly (for example, via a test journalist or source application), the Storage.get_default() method must be mocked to return the app_storage fixture. This patch has been added in the source_app and journalist_app fixtures, so it will be applied automatically in tests that use them.

General notes:

• There a few TODOs not addressed by this PR for various reasons
  • The babel_instance Flask app dynamic attribute has not been refactored out - it's added by flask-babel and an upstream change is probably required Fixed in Stop using app.babel_instance #6220
  • type checking is disabled for the CSRFError error handlers due to an issue similar to: error handler type check fails pallets/flask#4295
  • type checking is disabled in the generic error handler - error handling should be updated to remove the use of Flask's internal app.error_handler_spec structure
  • during initial testing, it was found that test requirements would override app requirements in the test Docker environment, meaning that updates to app requirements weren't always being applied. As a quick fix, the order in which requirements were installed was switched, so that app requirements would always be applied last. A better fix would be to clean up those requirements files to either keep them in sync or to remove application dependencies from the test requirements files altogether.

Testing

Storage-specific tests

Secure temporary files

• check out this branch and run make dev-tor (some latency will help when observing the tempfile behaviour)
• in another teminal, connect to the dev env with docker exec -t securedrop-dev-0 bash
• in the dev env, monitor /tmp with watch -n 1 ls -l /tmp
• connect to the Source Interface(SI) (you'll find the address listed in docker output just before the applications start) and upload a file greater than 512k.
  • confirm that 2 files with a .aes extension are written and then deleted as the upload completes (the first is the gzipped initial submission, second is decompressed version)
• (optional) for bonus points, retain both files by adding a delete=False argument to the super().__init() in the SecureTemporaryFile class and submitting another file larger than 512k
  • verify that both files contents "look" random.
  • verify that the size of the first file matches the gzipped size of the submission and the size of the second matches that of the original file.

Submissions and replies

• are files being saved to the right location?
  • check out this branch and run make dev
  • in another teminal, connect to the dev env with docker exec -t securedrop-dev-0 bash
  • in the SI, start at least 2 source sessions, upload distinct files to both
  • verify that they were stored to the correct /var/lib/securedrop/store/<UUID>/ paths for the respective sources
• are they being attributed to the correct source in the JI?
  • in the Journalist Interface(JI), verify that the submissions are listed under the correct source page
• are replies only visible to the intended recipient in the SI?
  • in the JI, reply to both sources
  • in SI, confirm for each source that they can see their own reply only
• are they encrypted?
  • in the JI, download the submissions and confirm that they can be decrypted with the submission key
• are they being deleted correctly (individually, en masse, or as part of a source wipe)
  • delete one source's submissions and replies via the "files and messages" only option, confirm they are no longer present
  • delete an individual submission from another source, confirm that the file was removed from the store
  • delete the source in its entirety, confirm that the source store directory was deleted
• are source store directories being recreated correctly?
  • in the SI, create another source and submit some docs/messages.
  • delete all files and messages from a source while preserving the source itself
  • in the dev env shell, manually delete the source's store directory
  • attempt to submit a new doc as that source and confirm that the directory is recreated and the source submission is present

Instance config tests

• check out this branch and run make dev, then log in to the JI
• on the Admin > Instance Config page, update the instance name.
  • verify that the name is saved successfully and that the JI titles change to reflect it.
  • load the SI and verify that the new name is used there as well.
• on the Admin > Instance Config page, disable file uploads.
  • load the SI and verify that sources only have the option to submit messages, not files.

End-to-end tests

• Perform as much of the Acceptance Tests section of the 2.1.0 test plan as you have time and patience for.
  • verify that acceptance tests pass.

Upgrade scenario

• Follow the upgrade scenario docs to verify an upgrade from 2.1.0 to locally-built packages.
  • verify that the upgrade scenario completes successfully
  • verify that basic functionality is available after the upgrade.

Deployment

These application changes will be deployed with the next release containing them. There are no schema changes or data migrations, but 2 of the alembic migration scripts were modified to reference the new global Storage object - as such, attention should be paid during testing to QA scenarios involving upgrades to verify that they work as expected.

Checklist

If you made changes to the server application code:

• Linting (make lint) and tests (make test) pass in the development container

If you made changes to the system configuration:

• Configuration tests pass

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR TK

Choose one of the following:

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation
• These changes do not require documentation

If you added or updated a production code dependency:

Production code dependencies are defined in:

• admin/requirements.in
• admin/requirements-ansible.in
• securedrop/requirements/python3/securedrop-app-code-requirements.in

If you changed another requirements.in file that applies only to development
or testing environments, then no diff review is required, and you can skip
(remove) this section.

Choose one of the following:

• I have performed a diff review and pasted the contents to the packaging wiki
• I would like someone else to do the diff review - given the scope, looking for volunteers. So far we have:
  • click from 6.7 to 8.0.3 - @conorsch
  • flask-babel from 011.2 to 2.0.0 - @cfm
  • flask-wtf from 0.14.2 to 1.0.0 - @zenmonkeykstop
  • Flask from 1.0.2 to 2.0.2 - @zenmonkeykstop
  • itsdangerous from 0.24 to 2.0.1 - @conorsch
  • jinja2 from 2.11.3 to 3.0.2 - @legoktm
  • redis from 3.3.6 to 3.5.3 - @legoktm
  • rq from 1.1.0 to 1.10.0 - @eaon

[legoktm]

As I mentioned earlier, I think this could be split a bit to make easier to review:

• datetime changes: utcnow() -> now(utc)
• Introduction of and switch to Storage.get_default()
• Introduction of and switch to InstanceConfig.get_default()

[legoktm]

If I'm understanding this correctly, this is a behavior shift now in that InstanceConfig is just initialized once at startup rather than on each request. Is that intentional? I haven't figured out how that works with the "valid_until" field yet...

[zenmonkeykstop]

Actually the instance config is now retrieved every time InstanceConfig.get_default() is called, so it's actually hitting the DB as much as before (or potentially more often if a single request has multiple .get_default()s) This reduces the benefit of a global object, so there's probably some opportunity for optimization there. The trick would be to detect configuration changes when they're made in the journalist interface, as we want those to be reflected immediately in the source app.

[zenmonkeykstop]

Updated the InstanceConfig get_default() method to be lazier - it will now only hit the db if explicitly requested or if the global is None. With some tweaks to @app.before_request-decorate functions, changes should show up immediately in both apps without extra DB overhead.

Also, re valid_until - it might be a bit counter-intuitive. It records the historical info about previous configs, and when they were invalidated. (TBH I'm not sure we need to store said previous configs, but it does provide an audit trail for instance_config changes.)

[legoktm]

I think this would be easier to read if it was in an else block below.

[zenmonkeykstop]

sure, updated.

[legoktm]

If we're renaming this maybe a better name would be submitted_file?

This whole block could be more DRY by not duplicating the mark_seen call for each if stanza...but that can be done separately.

[zenmonkeykstop]

👍 updated (the name, not the mark_seen() calls)

[legoktm]

This is also documented as taking a DicewarePassphrase, so I don't understand why mypy is happy with it but below wants you to wrap it. In any case, shouldn't the codename variable be turned into a DicewarePassphrase as soon as its pulled out of the session object?

[zenmonkeykstop]

As I mentioned earlier, I think this could be split a bit to make easier to review:

* datetime changes: utcnow() -> now(utc) 
* Introduction of and switch to Storage.get_default()
* Introduction of and switch to InstanceConfig.get_default()

This makes sense - I've reordered and merged commits to simplify things and group related changes. Let me know if it's helpful!

[codecov-commenter]

Codecov Report

Merging #6217 (aba1749) into develop (f768a1a) will increase coverage by 0.01%.
The diff coverage is 88.67%.

@@             Coverage Diff             @@
##           develop    #6217      +/-   ##
===========================================
+ Coverage    85.13%   85.15%   +0.01%     
===========================================
  Files           59       59              
  Lines         4090     4102      +12     
  Branches       487      490       +3     
===========================================
+ Hits          3482     3493      +11     
  Misses         491      491              
- Partials       117      118       +1     

Impacted Files	Coverage Δ
securedrop/journalist_app/admin.py	89.40% <ø> (ø)
...rsions/3da3fcab826a_delete_orphaned_submissions.py	31.91% <20.00%> (ø)
.../b58139cfdc8c_add_checksum_columns_revoke_table.py	36.36% <33.33%> (ø)
securedrop/source_app/forms.py	94.44% <50.00%> (-0.30%)	⬇️
securedrop/store.py	90.09% <75.00%> (-0.11%)	⬇️
securedrop/source_app/main.py	94.47% <85.71%> (+0.03%)	⬆️
securedrop/i18n.py	93.25% <100.00%> (ø)
securedrop/journalist_app/__init__.py	90.09% <100.00%> (-0.18%)	⬇️
securedrop/journalist_app/api.py	94.16% <100.00%> (ø)
securedrop/journalist_app/col.py	81.01% <100.00%> (+0.24%)	⬆️
... and 8 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f768a1a...aba1749. Read the comment docs.

[cfm]

Diff reviewed in https://github.com/freedomofpress/securedrop-debian-packaging/wiki/Flask-Babel-0.11.2-to-2.0.0.

[cfm]

Nit in passing: I wondered if this could be simplified, since InstanceConfig.organization_name has default="SecureDrop", but it looks like that default's not applied in the upgrade migration.

[legoktm]

Reviewed: https://github.com/freedomofpress/securedrop-debian-packaging/wiki/redis-3.3.6-to-3.5.3

[conorsch]

Diff reviews complete for click and itsdangerous. Regarding the latter, we've got an upcoming deprecation tracked in #6224. For the purposes of this PR, see the comments in pallets/itsdangerous#257 about token length; I have not tried to reproduce what's reported there, but given the scope of these changes, makes sense to evaluate as part of review here.

[conorsch]

Looks like securedrop/requirements/python3/test-requirements.txt still needs to be updated; it contains itsdangerous==0.24 (the old version) and also Flash v1 still.

[zenmonkeykstop]

Looks like securedrop/requirements/python3/test-requirements.txt still needs to be updated; it contains itsdangerous==0.24 (the old version) and also Flash v1 still.

Yup, that's an outstanding task in the TODOs - current workaround also described there.

already tracked in todos

[legoktm]

jinja notes:

• evalcontextfilter is deprecated, there's a new sample nl2br snippet: https://jinja.palletsprojects.com/en/3.0.x/api/?highlight=nl2br#custom-filters
• The with_ and autoescape extensions are deprecated (now always built-in AIUI), so maybe they can be removed from babel.cfg?
• It seems Markup should be imported from markupsafe rather than jinja now
• Do we have a regression test that verifies jinja's autoescaping is turned on? Like assert Template("{{foo}}").render(foo="<script>") == "&lt;script>" or something.

I reviewed all the doc and src/ changes, ended up skipping the tests/ changes due to a lack of time.

[legoktm]

Reviewed: https://github.com/freedomofpress/securedrop-debian-packaging/wiki/Jinja2-2.11.3-to-3.0.2

[nabla-c0d3]

I would put refresh: bool = False ; not sure there's a need for refresh to ever be None?

[zenmonkeykstop]

✔️ - updated.

[nabla-c0d3]

To further simplify the tests in this file, I would recommend:

• Removing all mentions of the journalist_app, as it is out of scope for what is being tested here (only the Storage class is being tested; not the full app).
• Not using the storage fixture as I would argue that creating a Storage class should be done in the test code as that's what's being tested: it's not "setup" code. The benefit will be that the tests won't be coupled with the config fixture (which is used in a lot of tests and seems unnecessary here) and the tests will be easier to read/follow.

You can see an example of tis approach above in TestPassphrasesGenerator.

[zenmonkeykstop]

The journalist_app fixture is unused in the majority of the tests alright - there are a few that do require an app context - eg. the shredder tests, but they could probably be moved to a separate file.

I'm less convinced about removing the app_storage fixture in all cases. Some of the tests that use it and the config fixture are essentially verifying that files are being created in the store in the expected location based on config parameters, and for those it would seem either tautological to just remove config, or duplicative to effectively recreate both fixtures in the test. But it can definitely be removed from tests not using config and replaced with a test-specific Storage object.

[zenmonkeykstop]

Actually on further reflection there are a lot more cases where the latter makes sense...

[nabla-c0d3]

Not super important, but you might now be able to remove the source_app fixture from this test and the one below 🙌

[zenmonkeykstop]

Looks like yes to the one below, but no to this one without independently setting up the db and creating an app and passing its context within the test.

[nabla-c0d3]

(Not very important) You could simplify this by switching the argument's declaration to:

filename: str = "unknown.file",

Then no if/else would be needed.

[zenmonkeykstop]

I kindof like it as is, I think @legoktm's previous point about readability is a good one.

[eaon]

Reviewed: https://github.com/freedomofpress/securedrop-debian-packaging/wiki/rq-1.1.0-to-1.10.0

[legoktm]

I got through the first half of the test plan today, should finish the rest on Monday.

[conorsch]

Changes look great. Try as I might, I'm unable to break it, which is grand. =) Tested via the prod VM upgrade scenario, and ran through the full test plan. Diff is quite readable, and post-reorg, the code is a bit more intuitive IMO. Great work on this one, @zenmonkeykstop—and thanks also to @legoktm for detailed review.