Skip to content

Commit

Permalink
Use Tor Browser for functional tests
Browse files Browse the repository at this point in the history
stupid utility to create an test admin user fast

Working tbselineum tests for most part.

fixes two typos in readme of tor based tests

Fixes directory path in README

Hardcoded onion addresse work

Test for tor broser asking high security in slider

Reads instance information from a json file

Uses clean variable name

Configure the sleep amount between clicks

Just tests admin/journalist login and cookies

Tests working once again.

Use firefox to login for downloads in selenium tests

Updates README

Matches with 0.6-rc2 functional tests

We are using TBB 7.5

We need more time and click to test logout

Fixes the assert statement

Updates based on current upstream

TB functional tests: Gitignore instance config

This prevents the accidental commit of private information.

TB functional tests: Merge tbselenium dir

Updates the ansible files for tbb

Updates to the Dockerfile for tbb

Updates as suggested in the PR review for ansible and dockerfile

Missing tor key

Removes duplicated 'when' line from app-test logic

The 'when' conditional detecting a grsec kernel, used for running the
paxctl commands on the TBB binary, was needlessly duplicated on the
relevant task. Fortunately that didn't cause breakage, because the
'when' lines were identical, but only one was active.

Updates functional test container image

Now installs Firefox 52 ESR, rather than Firefox 46, for use inside the
test container.

Includes changes to run-test shell script:

    TOR_FORCE_NET_CONFIG=0 is required to directly connect to Tor
    network, otherwise it will wait for userinput to either connect
    or to configure

    The `run_xvfb` invocation is no longer necessary, since the test suite
    code bootstraps the headless server now.

Creates local test server inside the container

Bootstrapping the application services within the functional test suite.
Includes some cleanup, culling unused debugging code, and also cleans up
the various print statements.

Ignore functional test firefox logs (thanks, @msheiny!)

Adds retries for tor network connection failure, using the pre-existing
logic.

Uses nc rather than torsocks in functional tests

The version of torsocks in the Trusty repos isn't recent enough to
support custom ports. Rather than install from other sources, which
requires manual package verification (or configuring non-trusty repos,
which could break other packages), let's fall back to good ol' nc.

Creates proper orbot specific project to test

We need to create a new firefox profile to test the orbot specific
warning. This works for both locally and over Tor.

Updates test_make_account_changes for Tor

Now we can safely execute the account changes in the tests running
on the Tor browser. The logic update makes sure to create different
user for this test than any other test.

Reduces sleep durations in functional tests

We don't have to sleep for too long if we are running against
local instance. The ultimate goal remains to remove hardcoded sleeps
altogether, but we'll circle back and eliminate those calls once the
test suite is passing reliably.

Increases CircleCI timeout to 20m

The functional tests can take a long time, so let's instruct CircleCI to
continue waiting, to give the test suite a chance to finish
successfully.

Updates README for the functional tests

Mostly correcting a typo in the `instance_information.json` config
filename, but also updated some of the example commands. The notes
regarding potentially failing tests also seemed out of date, as several
members of the team have confirmed working functional tests under the
new TB Selenium logic recently.

Removes temporary testing related directories

We need to clean up any temporary test directory before running
any test, as the previous can create a bad state in the database.
For example, one of our pages-layout test adds 123456 as hotp value
to the test account, and it will never be able to login again.

Adds missing steps for pages-layout tests over tor

We can now generate thousands of random journalist names using
the generator. Only the first 3 names are used in the functional
tests, the rest are being used in the pages-layout.

We also added back _source_delete_key function for one the test.
Rest of the updates are to add sleep function calls or to have
better error message.

Adds comment about the user generator and lint fixes

We have get_journalist_usernames generator which can generate
unlimited number of users for many tests.

Moves around all driver creation functions into one place

We now have the functional/functional_test.py to handle all
driver creation logic. For the pages-layout tests, we are creating
only a Firefox driver to connect to the local container itself.

This logic does not work against any external server as of now.

Updates test user creation logic inside of container

Removing old method calls from user creation logic, this is only
used inside of the container for the functional testing.

Downloads data from server using requests over Tor

The test requirements now have requests[socks] as dependency.
Using the same we are now directly downloading the files/messages
from the .onion address for functional tests.

The old external command file also got removed this committ.

We are creating the gpg object for both container based local
testing and external testing (in functional tests).
Fixes: freedomofpress#3691 freedomofpress#3687

Removed xvfb, tor browser, and firefox installs from app-staging - functional tests now run remotely

fix to pass make ci-lint

Cleans up flake8 errors in functional tests

Resolves some lingering flake8 formatting violations that were causing
lint checks to fail. These changes are unrelated to the current PR, but
better late than never.

Written by @msheiny, committed by @conorsch during branch collab.

Signed-off-by: Conor Schaefer <[email protected]>

Adds --staging flag create-dev-data.py for tests

We now have --staging flag to the create-dev-data.py script so
that we can easily create an user in the staging or prodcution test
and then use the functional tests to test the instance.

Add fact gatherer for extracting tor app onion details

This is really for functional testing in staging environments, but the
script doesnt hurt to be installed in prod. It doesn't elevate
permissions or expose any sensitive details - you need to run as root in
order to gain useful data.

Logic to dump app tor onion data to func config

This commit adds logic to the test runner so that a functional test json
config gets dumped for usage in the tbb selenium test tools against
staging.

Wire-up current app-test role to our upgrade scenario

Without this change, the upgrade scenario would utilize the app-test
logic from the old repo. Which is not what we want. This is of course
kind of "hacky". I welcome the opportunity to improve this with feedback
:)

Move tor fact logic from tor role --> app-test role

I'm not sure we are ready to shove this on prod instances AND I was
running into weird old/new role logic under the molecule scenario.
Ideally the fact should be in both roles but I dunno.. this seemed like
an easier short-term fix.

ansible spacing' and tag nits

Testinfra: Update test dependencies for app-staging

In freedomofpress#3697, we removed the application testing pip dependencies.
This commit updates the testinfra test variables accordingly.

Fix linting failures

One of these was introduced in freedomofpress#3672, but not discovered due to
other CI failures (e.g. python not found when running the lint job)

Use absolute pathing in i18n testing

I'm hoping this shakes out some really weird test failures we were
seeing only under CircleCI only under the functional testing branch at a
certain point in time. Really wild behavior. *fingers crossed*

Set selenium webdriver test output to WARNING

Originally was on DEBUG and was sending out mountains of output into the
pytest process which made it difficult to assess anything.

(cherry picked from commit a1f0134)

removed duplicate entry in test requirements

Dockerfile: Update Tor Browser to 8.0

Docker development environment: Update Tor signing key

Dockerfile: Update geckodriver and firefox-esr

Swap x11vnc with tightvncserver

Basically installed this because it can be used with pyvirtualdisplay as
a backend AND because it brings in the Xvnc tooling which will start an
X11 server as well as a VNC server.

Wire-up VNC server and helper command for func tests

Had to remove x11 display logic inside test scaffolding (initially tried
to integrate it there but it kept building and destroying the VNC server
per test).

Made a VNC helper command with support for GNOME desktop and macOS (havent
tested it on mac yet). Updated the docs

Bump functional test sleep time

10 seconds is way too short.. 160 seconds.. maybe too long? Fingers
crossed I can work with the team to get the wait_for logic running

Add functionality to prepare boxes for functional testing

Typically these actions were done manually but lets get our good old
friend ansible to run them for us (at least under the upgrade env).

Added auth to VNC in test container, for OS X compatibility.

Bump TBB/ESR to 8.0.1 and 60.2.0esr combo

https://blog.torproject.org/new-release-tor-browser-801

Updated geckodriver to 0.22.0

added ini file to get around remote-viewer password prompt

Functional tests: xfail test_warning_appears_if_tor_browser_not_in_use

Due to defect freedomofpress#3793, when using Firefox Quantum, the incorrect message
is displayed on the source interface. This test will not pass until that
is resolved.

Functional tests: Fix firefox path

Testinfra: Fix test failure due to non-DRY variables files

staging.yml is a concatenation of multiple other variables files,
one was updated during rebase, one was not.

Testinfra: Update Flask version to 1.0.2

fixed VNC port being defined twice when running 'make dev'

Tests: Modify viewport size for parity between dev and CI env

In CI we are getting MoveTargetOutOfBoundsException, but not locally.
We have had errors in the past due to different viewport sizes in CI
and locally, so setting this to a standard size for the pages layout
tests (where the exception is occurring).

Functional tests: Resolve NoAlertPresentException

We were getting a NoAlertPresentException due to new behavior in
geckodriver [0] where interacting with the driver closes the modal.
Thus, we do not need to explicitly accept the modal here.

[0] mozilla/geckodriver#1171

Replaced parameterized time.sleep()s with self.waitfor()s

Stability fixes layout tests, added new functests from develop, updated TBB

fixed flaky page layout tests that were broken by long fr_FR strings causing UI elements to wrap.

fixed flake8, added explicit scroll to elements before click, stability fixes

Dockerfile: get key from Mozilla keyserver

For whatever reason, this Firefox signing key was not available on
the keyserver in the prior diff, but was available on Mozilla's
keyserver.

deps: Update requests due to CVE-2018-18074

functional tests: Add wait_for prior to clicking submit

functional tests: Remove sleeps and reduce flakiness around modal

functional tests: Remove sleeps around js alerts

functional tests: use sleep_time as default timeout

functional tests: Remove remainder of time.sleeps in source steps

Don't clobber existing custom logo

Minimal changes to remove external server testing functionality

Merge from develop
  • Loading branch information
kushaldas authored and rmol committed Apr 22, 2019
1 parent 9bdf727 commit 2eb2fc2
Show file tree
Hide file tree
Showing 38 changed files with 3,274 additions and 535 deletions.
1 change: 1 addition & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,7 @@ jobs:

- run:
name: Run tests
no_output_timeout: 20m
command: |
export TESTFILES=$(cd securedrop; circleci tests glob 'tests/test*py' 'tests/**/test*py' |circleci tests split --split-by=timings |xargs echo)
docker rm -f securedrop-test-xenial-py2 || true
Expand Down
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ install_files/ansible-base/group_vars/all/site-specific
# ignore securedrop-app-code wheelhouse archive
wheelhouse

# ignore the instance information JSON file to prevent commit of private info
securedrop/tests/functional/instance_information.json

# ignore the ATHS/THS hostname file ansible places
app-ssh-aths
app-document-aths # leave this here for historic reasons
Expand Down Expand Up @@ -156,3 +159,6 @@ raw-test-output/
#These files are used in CI/dev env for determining whether to rebuild docker
#images
*.checksum
#Functional test logs
securedrop/tests/functional/firefox.log
securedrop/geckodriver.log
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ install-mypy: ## pip install mypy in a dedicated python3 virtualenv
if [[ ! -d .python3/.venv ]] ; then \
virtualenv --python=python3 .python3/.venv && \
.python3/.venv/bin/pip3 install mypy ; \
fi
fi

.PHONY: typelint
typelint: install-mypy ## Runs type linting
Expand Down
24 changes: 12 additions & 12 deletions changelog.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
### Operations

* Ensured WiFi related packages are not installed on Xenial on upgrade (#4163)
* Try harder to attach to a `tmux` session on upgrade (#4221)
* Try harder to attach to a `tmux` session on upgrade (#4221)
* Control locale during Ansible runs (#4252)

### Tails Environment
Expand Down Expand Up @@ -134,7 +134,7 @@

* Updated OSSEC to 3.0.0 and use GPG signatures for verifying sources (#3701)
* Update paramiko to 2.4.2 (#3861)
* Enforce use of the latest grsecurity-patched kernel on servers (#3842)
* Enforce use of the latest grsecurity-patched kernel on servers (#3842)

### Development

Expand Down Expand Up @@ -183,7 +183,7 @@ https://github.com/freedomofpress/securedrop/milestone/44

### Web Applications

* Adds a new supported language: Swedish (#3570)
* Adds a new supported language: Swedish (#3570)
* Replace PyCryptodome with pyca/cryptography (#3458)
* Add explanatory text to source interface screensaver (#3439, #3455)
* Rename "Delete collection" on journalist interface for clarity (#2419)
Expand Down Expand Up @@ -289,7 +289,7 @@ https://github.com/freedomofpress/securedrop/milestones/0.7.

* Add commands to check for and apply updates to the securedrop-admin CLI (#2976).

### Developer Workflow
### Developer Workflow

* Make the Docker-based development environment the default (#2902).
* Rebase branches prior to running CI jobs (#2934).
Expand Down Expand Up @@ -508,12 +508,12 @@ https://github.com/freedomofpress/securedrop/milestones/0.4.1.
The issues for this release were tracked in the 0.4 milestone on Github:
https://github.com/freedomofpress/securedrop/milestones/0.4.

This changelog shows major changes below. Please diff the tags to see the full list of changes.
This changelog shows major changes below. Please diff the tags to see the full list of changes.

### Deployment

* Enable optional HTTPS on the source interface (#1605).
* Standardize SecureDrop server installation on a single username (#1796).
* Standardize SecureDrop server installation on a single username (#1796).
* Add `securedrop-admin` script and update version of Ansible running in the workstation (#1146, #1885).
* Add validation of user-provided values during SecureDrop installation (#1663, #749, #1257).
* Removes `prod-specific.yml` configuration file (#1758).
Expand All @@ -526,10 +526,10 @@ This changelog shows major changes below. Please diff the tags to see the full l
### Developer Workflow

* Reconciles divergent master and develop branches (#1559).
* Increases unit test coverage to from 65% to 92%.
* Adds testinfra system configuration test suite (#1580).
* Increases unit test coverage to from 65% to 92%.
* Adds testinfra system configuration test suite (#1580).
* Removes unnecessary test wrappers (#1412).
* Major improvements to SecureDrop CI and testing flow including adding the staging environment to CI (#1067).
* Major improvements to SecureDrop CI and testing flow including adding the staging environment to CI (#1067).

### Web App: Source

Expand All @@ -546,10 +546,10 @@ This changelog shows major changes below. Please diff the tags to see the full l
* Adds minimum password length requirements for new journalist accounts (#980).
* Delete submissions that have had their sources deleted (#1188).
* Bugfix: Empty replies can no longer be sent to a source (#1715).
* Bugfix: Handle non hexadecimal digits for the 2FA secret (#1869).
* Bugfix: Handle non hexadecimal digits for the 2FA secret (#1869).
* Bugfix: Handle token reuse for the 2FA secret on /admin/2fa (#1687).
* Bugfix: Handle attempts to make duplicate user accounts (#1693).
* Bugfix: Fix confusing UI on message/reply icons (#1258).
* Bugfix: Handle attempts to make duplicate user accounts (#1693).
* Bugfix: Fix confusing UI on message/reply icons (#1258).

### Tails Environment

Expand Down
8 changes: 4 additions & 4 deletions docs/set_up_admin_tails.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ specific Tails session and click *Add*. And finally click *Start
Tails*.

.. note:: The *Administration password* is a one-time password. It
will reset every time you shut down Tails.
will reset every time you shut down Tails.

After Tails finishes booting, make sure you're connected to the Internet
|Network| and that the Tor status onion icon is not crossed out
Expand Down Expand Up @@ -51,7 +51,7 @@ Start by running the following commands to download the git repository.
git clone https://github.com/freedomofpress/securedrop.git
.. note:: Since the repository is fairly large and Tor can be slow,
this may take a few minutes.
this may take a few minutes.

.. caution:: Do not download SecureDrop Git repository as a Zip file,
or any other means. Only download by using the given git
Expand Down Expand Up @@ -151,8 +151,8 @@ To use the template:
on the encrypted persistent volume, this additional passphrase is not necessary.

.. warning:: You will not be able to access your passwords if you
forget the master password or the location of the key
file used to protect the database.
forget the master password or the location of the key
file used to protect the database.

In case you wish to manually create a database, the suggested password fields in
the admin template are:
Expand Down
12 changes: 5 additions & 7 deletions docs/upgrade/xenial_prep.rst
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ from the command line on the *Application Server* by running the command:
SecureDrop servers are updated automatically with the latest release version
(0.12.1). Recently, some long-running SecureDrop instances were affected by a
(0.12.1). Recently, some long-running SecureDrop instances were affected by a
bug which will cause any updates after 0.10.0 to fail. If your instance is still
running 0.10.0, please `consult our advisory <https://securedrop.org/news/advisory-automatic-update-failure-version-0100-0110-some-securedrop-instances/>`_
to update to the latest version.
Expand Down Expand Up @@ -142,16 +142,14 @@ The output should include the following two lines:
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"
Please verify that each character of the fingerprint above matches what is on
the screen of your workstation. If it does, you can check out the new release:
Please verify that each character of the fingerprint above matches what is on the screen of your workstation. If it does, you can check out the new release:

.. code:: sh
git checkout 0.12.1
git checkout 0.12.0
.. important:: If you see the warning ``refname ‘0.12.1’ is ambiguous`` in the
output, we recommend that you contact us immediately at [email protected]
(GPG encrypted).
.. important::
If you see the warning ``refname ‘0.12.0’ is ambiguous`` in the output, we recommend that you contact us immediately at [email protected] (GPG encrypted).

Finally, run the following commands:

Expand Down
8 changes: 8 additions & 0 deletions install_files/ansible-base/roles/app-test/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,11 @@
# Username for Apache service, used to set permissions on the
# Source Interface config to enable logging in the staging environment.
apache_user: www-data

# Specify TBB functional_test.json file defaults
tbb_sleep_time: 160
tbb_selenium_user: journalist
tbb_selenium_password: correct horse battery staple profanity oil chewy
tbb_selenium_secret: JHCOGO7VCER3EJ4L
test_sd_root_dir: "{{ lookup('pipe','git rev-parse --show-toplevel') }}"
tbb_funcfolder: "{{ test_sd_root_dir }}/securedrop/tests/functional/instance_information.json"
44 changes: 44 additions & 0 deletions install_files/ansible-base/roles/app-test/files/tor_app.fact
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
#!/usr/bin/env python3
#
#
# Ansible local fact producer for tor onion details of app server
# to be chucked into /etc/ansible/facts.d/ with a .fact suffix

import json
import os

TOR_SVC_PATH = "/var/lib/tor/services/"
JOURNALIST_DIR = "journalist"
SOURCE_DIR = "source"


def extract_sd_onion_data(tor_path=TOR_SVC_PATH,
journalist_dir=JOURNALIST_DIR,
source_dir=SOURCE_DIR,
protocol="http"):

for interface in [journalist_dir, source_dir]:
hostname_file = os.path.join(TOR_SVC_PATH, interface, 'hostname')
try:
with open(hostname_file) as f:
tor_config = f.readline().rstrip().split()

onion_addr = "{p}://{a}".format(p=protocol, a=tor_config[0])
auth_token = tor_config[1]

# This must be a source interface because we dont see hidservauth info
except IndexError:
source_int = onion_addr
# One of the files doesn't exist :| Maybe tor setup hasnt run yet.
except IOError:
return dict()
else:
journalist_int = onion_addr

return dict(journalist_location=journalist_int,
source_location=source_int,
hidserv_token=auth_token)


if __name__ == '__main__':
print(json.dumps(extract_sd_onion_data()))
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---

- name: Create ansible fact directory
file:
path: /etc/ansible/facts.d
recurse: yes
state: directory
owner: root
group: root

- name: Copy over tor application fact file
copy:
src: tor_app.fact
dest: /etc/ansible/facts.d/tor_app.fact
mode: 0755

- name: Refresh remote "local facts" for glory
setup:
filter: ansible_local

- name: Gather apptest facts to dict to prepare for output
set_fact:
_tbb_selenium_dict:
hidserv_token: "{{ ansible_local.tor_app.hidserv_token }}"
journalist_location: "{{ ansible_local.tor_app.journalist_location }}"
source_location: "{{ ansible_local.tor_app.source_location }}"
sleep_time: "{{ tbb_sleep_time }}"
user:
name: "{{ tbb_selenium_user }}"
password: "{{ tbb_selenium_password }}"
secret: "{{ tbb_selenium_secret }}"

- name: Dump facts to local json for in-take
copy:
content: "{{ _tbb_selenium_dict | to_nice_json }}"
dest: "{{ tbb_funcfolder }}"
become: no
delegate_to: localhost
6 changes: 6 additions & 0 deletions install_files/ansible-base/roles/app-test/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,9 @@
- apache

- include: modern_gettext.yml
tags:
- modern_gettext

- import_tasks: extract_apptor_test_config.yml
tags:
- functional_test
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
securedrop-app-code (0.13.0~rc1+trusty) trusty; urgency=medium

* See changelog.md
* See changelog.md

-- SecureDrop Team <[email protected]> Wed, 27 Feb 2019 11:01:15 +0000

securedrop-app-code (0.12.1+trusty) trusty; urgency=medium

* See changelog.md
* See changelog.md

-- SecureDrop Team <[email protected]> Wed, 20 Mar 2019 20:20:21 +0000

securedrop-app-code (0.12.0+trusty) trusty; urgency=medium

* See changelog.md
* See changelog.md

-- SecureDrop Team <[email protected]> Wed, 27 Feb 2019 00:36:47 +0000

Expand Down
Original file line number Diff line number Diff line change
@@ -1,18 +1,17 @@
securedrop-app-code (0.13.0~rc1+xenial) xenial; urgency=medium

* See changelog.md
* See changelog.md

-- SecureDrop Team <[email protected]> Wed, 27 Feb 2019 11:02:06 +0000

securedrop-app-code (0.12.1+xenial) xenial; urgency=medium

* See changelog.md
* See changelog.md

-- SecureDrop Team <[email protected]> Wed, 20 Mar 2019 20:20:40 +0000

securedrop-app-code (0.12.0+xenial) xenial; urgency=medium

* See changelog.md
* See changelog.md

-- SecureDrop Team <[email protected]> Wed, 27 Feb 2019 00:37:02 +0000

Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,7 @@
search_regex: OpenSSH
state: started
become: no

- name: Refresh ansible local facts
setup:
filter: ansible_local
11 changes: 11 additions & 0 deletions molecule/upgrade/create.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,3 +57,14 @@
content: "{{ instance_conf | to_json | from_json | molecule_to_yaml | molecule_header }}"
dest: "{{ molecule_instance_config }}"
when: server.changed | bool

- name: Ensure roles dir in-place
file:
path: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/roles"
state: directory

- name: Over-ride stable apt-test role logic with one from current branch
file:
src: "{{ lookup('pipe', 'git rev-parse --show-toplevel') }}/install_files/ansible-base/roles/app-test"
dest: "{{ lookup('env', 'MOLECULE_EPHEMERAL_DIRECTORY') }}/roles/app-test"
state: link
1 change: 0 additions & 1 deletion molecule/upgrade/playbook.yml
Original file line number Diff line number Diff line change
Expand Up @@ -85,7 +85,6 @@
tags: always
become: yes


- import_playbook: apt.yml
tags: apt

Expand Down
Loading

0 comments on commit 2eb2fc2

Please sign in to comment.