Converts RPC sd-svs -> $tag:sd-client

Conor Schaefer · Conor Schaefer · commit 784076da56d2 · 2019-07-24T10:43:42.000-04:00
We use a tag rather than a hardcoded AppVM name to support flexibility
configuration. In the main, this is useful to developers, so that the
`sd-dev` AppVM can be tagged with `sd-client`, and thereby make calls as
though it were `sd-svs`. The Salt logic does not create `sd-dev`, it's
up to the developer to configure that machine.

Includes corresponding config test updates to validate the RPC policy
changes. There are no functional changes to sd-svs grants, merely the
possibility that other VMs can be manually granted similar capability.

Includes docs, recommending that developers add the new `sd-client` tag
to the dev VM manually, if working on the Client code.
diff --git a/README.md b/README.md
@@ -80,6 +80,14 @@ export SECUREDROP_DEV_DIR=/home/user/projects/securedrop-workstation    # set to
 make clone
 ```
 
+If you plan to work on the [SecureDrop Client](https://github.com/freedomofpress/securedrop-client) code, also run:
+
+```
+qvm-tags sd-dev add sd-client
+```
+
+Doing so will permit the `sd-dev` AppVM to make RPC calls with the same privileges as the `sd-svs` AppVM.
+
 **NOTE:** The destination directory on `dom0` is not customizable; it must be `securedrop-workstation` in your home directory.
 
 #### Building
diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls
@@ -33,7 +33,7 @@ dom0-rpc-qubes.Filecopy:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-proxy sd-svs allow
+        sd-proxy $tag:sd-client allow
         $anyvm $tag:sd-workstation deny
 dom0-rpc-qubes.OpenInVM:
   file.blockreplace:
@@ -42,8 +42,8 @@ dom0-rpc-qubes.OpenInVM:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-svs $dispvm:sd-svs-disp allow
-        sd-svs sd-export-usb allow
+        $tag:sd-client $dispvm:sd-svs-disp allow
+        $tag:sd-client sd-export-usb allow
         $anyvm $tag:sd-workstation deny
 dom0-rpc-qubes.OpenURL:
   file.blockreplace:
@@ -100,7 +100,7 @@ dom0-rpc-qubes.Gpg:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-svs sd-gpg allow
+        $tag:sd-client sd-gpg allow
         $anyvm $tag:sd-workstation deny
 dom0-rpc-qubes.GpgImportKey:
   file.blockreplace:
@@ -109,5 +109,5 @@ dom0-rpc-qubes.GpgImportKey:
     - marker_start: "### BEGIN securedrop-workstation ###"
     - marker_end: "### END securedrop-workstation ###"
     - content: |
-        sd-svs sd-gpg allow
+        $tag:sd-client sd-gpg allow
         $anyvm $tag:sd-workstation deny
diff --git a/dom0/sd-svs.sls b/dom0/sd-svs.sls
@@ -33,6 +33,7 @@ sd-svs:
       - netvm: ""
     - tags:
       - add:
+        - sd-client
         - sd-workstation
     - features:
       - enable:
diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py
@@ -77,6 +77,7 @@ def test_sd_svs_config(self):
         self._check_kernel(vm)
         self._check_service_running(vm, "paxctld")
         self.assertTrue('sd-workstation' in vm.tags)
+        self.assertTrue('sd-client' in vm.tags)
 
     def test_sd_svs_disp_config(self):
         vm = self.app.domains["sd-svs-disp"]
diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml
@@ -13,7 +13,7 @@
 - policy: Filecopy
   starts_with: |-
     ### BEGIN securedrop-workstation ###
-    sd-proxy sd-svs allow
+    sd-proxy $tag:sd-client allow
     $anyvm $tag:sd-workstation deny
     ### END securedrop-workstation ###
 
@@ -49,14 +49,14 @@
 - policy: Gpg
   starts_with: |-
     ### BEGIN securedrop-workstation ###
-    sd-svs sd-gpg allow
+    $tag:sd-client sd-gpg allow
     $anyvm $tag:sd-workstation deny
     ### END securedrop-workstation ###
 
 - policy: GpgImportKey
   starts_with: |-
     ### BEGIN securedrop-workstation ###
-    sd-svs sd-gpg allow
+    $tag:sd-client sd-gpg allow
     $anyvm $tag:sd-workstation deny
     ### END securedrop-workstation ###
 
@@ -90,8 +90,8 @@
 - policy: OpenInVM
   starts_with: |-
     ### BEGIN securedrop-workstation ###
-    sd-svs $dispvm:sd-svs-disp allow
-    sd-svs sd-export-usb allow
+    $tag:sd-client $dispvm:sd-svs-disp allow
+    $tag:sd-client sd-export-usb allow
     $anyvm $tag:sd-workstation deny
     ### END securedrop-workstation ###
 
