Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vendor pretty_bad_protocol #6836

Merged
merged 11 commits into from
Jun 21, 2023
Merged

Vendor pretty_bad_protocol #6836

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a67420b
Vendor pretty_bad_protocol
legoktm Jun 6, 2023
2e68fb8
pretty_bad_protocol: Apply pyupgrade, black, isort
legoktm Jun 6, 2023
c877def
pretty_bad_protocol: Remove compat code for unsupported platforms
legoktm Jun 6, 2023
6574e1f
Drop pre-GPG 2.1 compatibility in EncryptionManager
legoktm Jun 6, 2023
5a4a83b
pretty_bad_protocol: Remove enough things to pass pylint
legoktm Jun 6, 2023
20f185a
pretty_bad_protocol: Fix issues spotted by flake8
legoktm Jun 6, 2023
b56eb5c
pretty_bad_protocol: Move copyleft.py info into a README.md
legoktm Jun 7, 2023
5b5e129
pretty_bad_protocol: Address mypy issues, mostly through suppression
legoktm Jun 7, 2023
0d52de9
pretty_bad_protocol: Suppress bandit issue
legoktm Jun 12, 2023
d60d89b
Get rid of pretty_bad_protocol monkey-patching
legoktm Jun 9, 2023
0a669f0
Add new pretty_bad_protocol files to packaging configuration
legoktm Jun 12, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions securedrop/debian/app-code/etc/apparmor.d/usr.sbin.apache2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,14 @@
/var/www/securedrop/journalist_templates/preferences_saved_flash.html r,
/var/www/securedrop/models.py r,
/var/www/securedrop/passphrases.py r,
/var/www/securedrop/pretty_bad_protocol/ r,
/var/www/securedrop/pretty_bad_protocol/_util.py r,
/var/www/securedrop/pretty_bad_protocol/_logger.py r,
/var/www/securedrop/pretty_bad_protocol/gnupg.py r,
/var/www/securedrop/pretty_bad_protocol/_trust.py r,
/var/www/securedrop/pretty_bad_protocol/_parsers.py r,
/var/www/securedrop/pretty_bad_protocol/__init__.py r,
/var/www/securedrop/pretty_bad_protocol/_meta.py r,
/var/www/securedrop/request_that_secures_file_uploads.py r,
/var/www/securedrop/rm.py r,
/var/www/securedrop/sdconfig.py r,
Expand Down
1 change: 1 addition & 0 deletions securedrop/debian/securedrop-app-code.install
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,5 +4,6 @@ debian/app-code/var /
COPYING alembic.ini babel.cfg config.py.example /var/www/securedrop
*.py i18n.json /var/www/securedrop
journalist_app journalist_templates /var/www/securedrop
pretty_bad_protocol /var/www/securedrop
source_app source_templates /var/www/securedrop
alembic dictionaries management requirements static translations wordlists scripts /var/www/securedrop
53 changes: 6 additions & 47 deletions securedrop/encryption.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@
import re
import typing
from datetime import date
from distutils.version import StrictVersion
from io import BytesIO, StringIO
from pathlib import Path
from typing import Dict, List, Optional
Expand All @@ -14,41 +13,8 @@
if typing.TYPE_CHECKING:
from source_user import SourceUser


def _monkey_patch_username_in_env() -> None:
# To fix https://github.com/freedomofpress/securedrop/issues/78
os.environ["USERNAME"] = "www-data"


def _monkey_patch_unknown_status_message() -> None:
# To fix https://github.com/isislovecruft/python-gnupg/issues/250 with Focal gnupg
gnupg._parsers.Verify.TRUST_LEVELS["DECRYPTION_COMPLIANCE_MODE"] = 23


def _monkey_patch_delete_handle_status() -> None:
# To fix https://github.com/freedomofpress/securedrop/issues/4294
def _updated_handle_status(self: gnupg._parsers.DeleteResult, key: str, value: str) -> None:
"""
Parse a status code from the attached GnuPG process.
:raises: :exc:`~exceptions.ValueError` if the status message is unknown.
"""
if key in ("DELETE_PROBLEM", "KEY_CONSIDERED"):
self.status = self.problem_reason.get(value, "Unknown error: %r" % value)
elif key in ("PINENTRY_LAUNCHED"):
self.status = key.replace("_", " ").lower()
else:
raise ValueError("Unknown status message: %r" % key)

gnupg._parsers.DeleteResult._handle_status = _updated_handle_status


def _setup_monkey_patches_for_gnupg() -> None:
_monkey_patch_username_in_env()
_monkey_patch_unknown_status_message()
_monkey_patch_delete_handle_status()


_setup_monkey_patches_for_gnupg()
# To fix https://github.com/freedomofpress/securedrop/issues/78
os.environ["USERNAME"] = "www-data"


class GpgKeyNotFoundError(Exception):
Expand Down Expand Up @@ -92,18 +58,11 @@ def __init__(self, gpg_key_dir: Path, journalist_key_fingerprint: str) -> None:
self._redis = Redis(decode_responses=True)

# Instantiate the "main" GPG binary
gpg = gnupg.GPG(
binary="gpg2", homedir=str(self._gpg_key_dir), options=["--trust-model direct"]
self._gpg = gnupg.GPG(
binary="gpg2",
homedir=str(gpg_key_dir),
options=["--pinentry-mode loopback", "--trust-model direct"],
)
if StrictVersion(gpg.binary_version) >= StrictVersion("2.1"):
# --pinentry-mode, required for SecureDrop on GPG 2.1.x+, was added in GPG 2.1.
self._gpg = gnupg.GPG(
binary="gpg2",
homedir=str(gpg_key_dir),
options=["--pinentry-mode loopback", "--trust-model direct"],
)
else:
self._gpg = gpg

# Instantiate the GPG binary to be used for key deletion: always delete keys without
# invoking pinentry-mode=loopback
Expand Down
Loading