Template consolidation via GUI updater

[conorsch]

Status

Ready for review

Description of Changes

Closes #471.

• Consolidations the SDW templates into two: sd-small-buster-template and sd-large-buster-template.
• Handles migration via GUI updater
• Updates tests throughout

Depends on multiple closely related PRs:

• Reorganizes mimetype declarations for template consolidation securedrop-builder#198
• Moves config to private volume securedrop-proxy#79
• Removes mimetype associations securedrop-export#65
• Remove mimetype associations from package securedrop-client#1160

Template consolidation test plan

The procedure for upgrading prod machines will be as follows:

1. Proactively contact pilot participants to notify about special case update.
2. Release all packages, both RPMs (for dom0) and debs (for SDW VMs), at same time.
3. When GUI updater appears, users should close it, open a dom0 terminal, and run sudo qubes-dom0-update -y. Doing so will obtain the latest GUI updater code.
4. Users should then double-click the SecureDrop desktop icon to rerun the new GUI updater, which will handle the consolidation steps as part of the upgrade.

Given the special case of requesting user action, we'll need to test both the "happy" path, where users follow our advice exactly, and the "sad" path, where special action is not taken.

See detailed test plan for the upcoming 0.5.0 release: https://github.com/freedomofpress/securedrop-workstation/wiki/0.5.0-Test-Plan Complete only the sections under Scenario: Template consolidation. The other scenarios we'll handle as part of QA, after merging this and related PRs.

QA

Writing a separate "QA" checklist because merging this and its related PR requires careful orchestration. Prior to merge of this PR, there are test-only commits marked "TEMPORARY" that should be removed. Doing so is required to use the "main" channel of the apt-test repository. Right now, packages are only present in the "template-consolidation" channel to facilitate testing.

The following PRs must be reviewed, then merged together:

• Moves config to private volume securedrop-proxy#79
• Reorganizes mimetype declarations for template consolidation securedrop-builder#198
• PR moving the built packages to apt-test main channel

Checklist

If you have made code changes

• Linter (make flake8) passes in the development environment (this box may
  be left unchecked, as flake8 also runs in CI)

If you have made changes to the provisioning logic

• All tests (make test) pass in dom0 of a Qubes install

• This PR adds/removes files, and includes required updates to the packaging
  logic in MANIFEST.in and rpm-build/SPECS/securedrop-workstation-dom0-config.spec

Switching a prod install to update from QA repositories

For testing purposes it may be necessary to modify a prod installation to use QA repos. The process of doing so is threefold:

• update /etc/apt/source.list.d/securedrop_workstation.list to use apt-test.freedom.press and add the testing key in all Debian-based SD templates
• update the repo definition in dom0 from yum.securedrop.org to yum-test.securedrop.org
• update /srv/salt/sd-default-config.yml to point the prod env definition at dev env variables.

To do so safely using Salt, as root:

• untar /home/user/securedrop-workstation/scripts/qa-switch.tar.gz in /srv/salt
• run bash /srv/salt/consolidation-qa-switch.sh

[conorsch]

Do we need to install redis in large template? Should only be required for receiver of logs.

[conorsch]

TODO: add mime handling to small & large templates, also to sd-gpg appvm

[zenmonkeykstop]

Test plan above working well, seeing expected result after updates. Couple of issues though:

• full install takes a while, throwing off the progress bar. This could be confusing to users, messaging or redoing progress bar would help
• first attempt hit a libxenlight failure creating sd-proxy. It's not immediately clear to me how a production user would recover from this, and it is more likely because of said full install (vs just template updates in usual scenario)
• two error seen in make test. The first is expected, the second not (and is mime-type related):

======================================================================
FAIL: test_log_dirs_properly_named (test_log_vm.SD_Log_Tests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/kog/securedrop-workstation/tests/test_log_vm.py", line 50, in test_log_dirs_properly_named
    self.assertFalse("host" in log_dirs)
AssertionError: True is not false

======================================================================
FAIL: test_mime_types (test_viewer.SD_Viewer_Tests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/kog/securedrop-workstation/tests/test_viewer.py", line 37, in test_mime_types
    self.assertEqual(actual_app, expected_app)
AssertionError: 'open-in-dvm.desktop' != 'org.gnome.gedit.desktop'
- open-in-dvm.desktop
+ org.gnome.gedit.desktop


----------------------------------------------------------------------

[conorsch]

Rebased to stay current with "main". To proceed with the securedrop-export changes, we'll need to review and merge freedomofpress/securedrop-apt-test#67, then use the template-consolidation channel to evaluate provisioning, upgrade, and config test coverage here.

After that, I plan to document the /tmp/-flag rationale in a detailed comment, and tell bandit not to worry about it.

[conorsch]

On latest revisions, still seeing two failing tests:

FAIL: test_mime_types (test_sd_devices.SD_Devices_Tests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/user/securedrop-workstation/tests/test_sd_devices.py", line 37, in test_mime_types
    self.assertEqual(actual_app, expected_app)
AssertionError: '' != 'open-in-dvm.desktop'
+ open-in-dvm.desktop

======================================================================
FAIL: test_mime_types (test_viewer.SD_Viewer_Tests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/user/securedrop-workstation/tests/test_viewer.py", line 37, in test_mime_types
    self.assertEqual(actual_app, expected_app)
AssertionError: 'vim.desktop' != 'org.gnome.gedit.desktop'
- vim.desktop
+ org.gnome.gedit.desktop


----------------------------------------------------------------------
Ran 78 tests in 225.856s

FAILED (failures=2)
Makefile:109: recipe for target 'test' failed
make: *** [test] Error 1

Those are surely related to the recent export changes in freedomofpress/securedrop-export#65, so let's investigate.

[emkll]

So far, testing has been successful in both the new install case and the upgrade case (in the dev environment):

• upgrade testing from main based on the test plan, with all tests passing
• provisioning from scratch on this branch, with all tests passing

I did notice however a minor deviation /usr/share/applications/mimeapps.list is present on the small template but not the large template. this is because 1. freedomofpress/securedrop-client#1160 is not yet merged and 2. https://github.com/freedomofpress/securedrop-dev-packages-lfs/tree/main/workstation/template-consolidation does not create a version of the package greater than 2.1 with these changes (ie removing mimeapps.list in the template in which securedrop-client is installed).

The presence of this file is helpful to ensure defense-in-depth against mime handling misconfiguration (defaulting to a safe, open-in-dvm option), but it may be best handled in securedrop-workstation-config package (or the salt logic) to ensure converge accross both templates

[conorsch]

Ran through the test plan for "Happy path" in https://github.com/freedomofpress/securedrop-workstation/wiki/0.5.0-Test-Plan. Everything worked smoothly. Included some minimal acceptance testing incluing login, reply, download, decrypt, and open-in-dvm. Full results:

---

• Complete a production workstation setup following the installation instructions.

• Start the SecureDrop Client and Verify that its version in the login dialog footer is 0.2.1

• As the primary test journalist user, submit a reply to a source via the client.

• in dom0:

  • update the Salt config to use QA repos using sudo bash ~/securedrop-workstation/scripts/qa-switch.sh
  • update the workstation config RPM via sudo qubes-dom0-update -y and verify that it is now the release candidate with dnf list securedrop-workstation-dom0-config
  • verify that the pre-consolidation templates are still in use via qvm-ls --tags sd-workstation
  • update the Salt config again, using sudo bash ~/securedrop-workstation/scripts/qa-switch.sh
  • remove the updater flag files, if they exist, with rm ~/.securedrop_launcher/sdw-{last_updated,update-status}

• Double-click the SecureDrop icon to start the updater, and run tail -f ~/securedrop_launcher/logs/launcher.log in dom0

• Verify that the installation completes successfully

  • Total wall time was 20m38s

• In dom0, run `qvm-ls --tags sd-workstation, and verify that:

  • the only TemplateVMs listed for AppVMs are sd-(large|small)-buster-template) and securedrop-workstation-buster.
  • sd-app, sd-log, sd-proxy, and sd-gpg are based on sd-small-buster-template
  • sd-devices and sd_viewer are based on sd-large-buster-template

• Perform a timed run of the updater via the dom0 command: time /opt/securedrop/launcher/sdw-launcher.py --skip-delta=0 and record the time here: 10m50s

[emkll]

Ran into some issues when running make dev (from scratch) locally on this branch, specifically with logging: only sd-whonix and securedrop-workstation-buster are receiving logs. The packages and apt configuration appea3er to be correctly configured, and rsyslog is running on the VMs, but the logs are not being stored (and did not see any errors in dom0 logs). By bumping the version in the rpmspec, the logging is now working when running make dev, and now all tests are passing

I propose we:

1. Update the rpmspec version/changelog
2. drop the temporary commits
3. consider removing the switch logic from this repository (or removing them from the production RPM, to minimize the likelihood of miconfiguration), requiring devs to manually shuttle the files to dom0 i think is fine, since they don't need regular updating
4. merge this PR and all associated packaging PRs, and run nightly tasks + add packages with no nightly builds to the main branch
5. Observe what happens to developers and follow up with fixes as required

EDIT: (In the original comment, I had not pulled latest changes) After pulling latest changes, i can confirm make dev is working as expected, and all tests are passing. This is good to merge once we remove the commits described above.

[conorsch]

Great, thanks for confirming @emkll! In standup today we agreed it's time to starting merging. @zenmonkeykstop is going to move the qa-switch material out of the RPM, then I'll drop the temporary commits—both here and in the related PRs—and promote to final "ready-for-review" status, so we can get approvals in.

[conorsch]

Removed temporary commits for final review. Preserved the utils/ subdir for the qa-switcher logic, since that's required for QA as described in https://github.com/freedomofpress/securedrop-workstation/wiki/0.5.0-Test-Plan Squashed some of fix-it commits together.

Ready for final review!

[emkll]

diff from the previous review looks good to me https://github.com/freedomofpress/securedrop-workstation/compare/3d16c1e..fc35345

With the associated packages changes merged in other repos, this should be good to merge

[emkll]

All nightlies/packages and changes required for this branch have been updated on apt-test https://apt-test.freedom.press/pool/main/

[emkll]

Changes to qa-switcher look good to me