Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migrate public keys from GPG to database-backed storage #6946

Merged
merged 2 commits into from
Oct 4, 2023
Merged

Migrate public keys from GPG to database-backed storage #6946

merged 2 commits into from
Oct 4, 2023

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Sep 21, 2023
edited by cfm
Loading

Status

Ready for review, depends on #6892 and #6948.

Description of Changes

  • Add --gpg to loaddata.py to create GPG-backed sources (primarily for testing/dev purposes)
  • Migrate public keys from GPG to database-backed storage (the main commit in this PR)

Commit messages have more detail on each.

Fixes #6800.

Testing

  • Start the dev server (make dev) and open a shell into the container, e.g. podman exec --user=root -it $(podman ps --filter name=securedrop --format '{{.ID}}') bash
  • Run alembic stamp 811334d7105f (ID of the migration before this one)
  • Run ./loaddata.py --gpg to add some GPG sources
  • Run select filesystem_id, pgp_fingerprint from sources; in SQLite to verify there are some sources without a fingerprint set in the database
  • Run alembic upgrade head, completes successfully. Then run the database query again to see that all fingerprints have been populated.
  • Obligatory CI passes & visual review

Deployment

Any special considerations for deployment?

This is a non-destructive migration. There is some risk the migration fails, which would halt package upgrade, but the main point where we expect that to happen (gpg.export_key()) is wrapped in a try/except.

Checklist

  • Linting (make lint) and tests (make test) pass in the development container
  • I have written a test plan and validated it for this PR
  • These changes do not require documentation

@legoktm legoktm force-pushed the sequoia-migrate-public branch 2 times, most recently from 49f6ec7 to 1616478 Compare September 21, 2023 19:17
@legoktm legoktm mentioned this pull request Sep 22, 2023
Closed
@legoktm legoktm force-pushed the sequoia-migrate-public branch 3 times, most recently from fe26e56 to 92fc742 Compare September 28, 2023 18:47
@legoktm legoktm marked this pull request as ready for review September 28, 2023 18:49
@legoktm legoktm requested a review from a team as a code owner September 28, 2023 18:49
@legoktm
Copy link
Member Author

legoktm commented Sep 28, 2023

This is ready for review now, but same caveat that it depends on #6892 and #6948.

@cfm cfm self-assigned this Sep 29, 2023
@cfm cfm self-requested a review September 29, 2023 01:36
@cfm cfm mentioned this pull request Oct 2, 2023
Merged
3 tasks
cfm
cfm requested changes Oct 2, 2023
View reviewed changes
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, @legoktm. I've taken the liberty of being a little aggressive in my testing just to make sure we're hitting the code-paths you intend. :-)

I've left a couple of questions inline, but otherwise I'll be happy to approve and merge this once it's rebased from develop after #6892.

  • Start the dev server (make dev) and open a shell into the container, e.g. podman exec --user=root -it $(podman ps --filter name=securedrop --format '{{.ID}}') bash
  • Run alembic stamp 811334d7105f (ID of the migration before this one)
  • Run ./loaddata.py --gpg to add some GPG sources
  • Run select filesystem_id, pgp_fingerprint from sources; in SQLite to verify there are some sources without a fingerprint set in the database
  • My addition: Choose one of the new sources and smoke-test a round trip: source submits; journalist replies
  • Run alembic upgrade head, completes successfully. Then run the database query again to see that all fingerprints have been populated.
  • My addition, aggressive: gpg --homedir /var/lib/securedrop/keys --list-secret-keys, then gpg --homedir /var/lib/securedrop/keys --delete-secret-key each one
  • My addition: Choose the same source as before and smoke-test a round trip: source submits; journalist replies
  • Obligatory CI passes & visual review

securedrop/alembic/versions/17c559a7a685_pgp_public_keys.py Outdated Show resolved Hide resolved
securedrop/alembic/versions/17c559a7a685_pgp_public_keys.py Outdated Show resolved Hide resolved
@legoktm legoktm force-pushed the sequoia-migrate-public branch from 92fc742 to d2828d8 Compare October 3, 2023 01:55
@legoktm
Copy link
Member Author

legoktm commented Oct 3, 2023

Rebased and integrated is_valid_public_key() checks.

@legoktm legoktm force-pushed the sequoia-migrate-public branch from d2828d8 to a67c243 Compare October 3, 2023 01:57
@cfm
Copy link
Member

cfm commented Oct 3, 2023

Thanks for the discussion, @legoktm. I'm happy with this, and I'll merge as soon as #6948 is in and this is rebased with it.

legoktm added 2 commits October 4, 2023 12:54
@legoktm
Add --gpg to loaddata.py to create GPG-backed sources
deeb329 
New sources are created using Sequoia by default, but we need GPG-backed
sources to test the migration process. This function is mostly copied
from tests.utils.create_legacy_gpg_key.
@legoktm
Migrate public keys from GPG to database-backed storage
1964032 
Add an alembic migration that iterates over the GPG keyring, identifies
source keys, exports them from GPG and saves them into the database.

The main failure risks are the interactions with GPG. We already run
`gpg.list_keys()` on startup, so it's unlikely that's broken (and if it
is, we have bigger problems). So the main concern is exporting the key
might fail. The export operation is wrapped in a try/except and we
validate the exported key we get from GPG.

Notably, this does not increase our footprint of pretty_bad_protcol
usage as the two functions being used are already in use elsewhere in
SecureDrop.

Some higher-level design information is at
<#6946 (comment)>.

Fixes #6800.
@legoktm legoktm force-pushed the sequoia-migrate-public branch from a67c243 to 1964032 Compare October 4, 2023 17:10
@legoktm
Copy link
Member Author

legoktm commented Oct 4, 2023

Rebased + signed.

cfm
cfm approved these changes Oct 4, 2023
View reviewed changes
Copy link
Member

@cfm cfm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @legoktm! We've resolved all our discussions from #6946 (review), so I'll merge as soon as CI passes.

@cfm cfm merged commit fd11009 into develop Oct 4, 2023
@legoktm legoktm mentioned this pull request Oct 5, 2023
Merged
8 tasks
@legoktm legoktm deleted the sequoia-migrate-public branch January 9, 2025 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cfm cfm cfm approved these changes

Assignees

@cfm cfm

Labels
None yet
Projects
SecureDrop dev cycle
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

One-time migration of sources' public keys and fingerprints from gpg to database-backed storage
2 participants
@legoktm @cfm