forked from freedomofpress/securedrop
-
Notifications
You must be signed in to change notification settings - Fork 1
/
setup_ubuntu.sh
executable file
·157 lines (130 loc) · 5.89 KB
/
setup_ubuntu.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
#! /bin/bash
# stop setup script if any command fails
set -e
# uncomment to print debugging information
#set -x
#check platform and distro
opsys=`uname`
if [[ $opsys != 'Linux' ]]; then
echo "This setup script only works for Linux platforms. Exiting script."
exit 1
fi
distro=$(cat /etc/*-release | grep DISTRIB_ID | cut -d"=" -f 2)
if [[ $distro != "Ubuntu" && $distro != "Debian" ]]; then
echo "This setup script only works for Ubuntu/Debian systems. Exiting script."
exit 1
fi
# define colored output for some statements
bold=$(tput bold)
blue=$(tput setaf 4)
red=$(tput setaf 1)
normalcolor=$(tput sgr 0)
DEPENDENCIES='gnupg2 secure-delete haveged python-dev python-pip python-virtualenv mysql-server-5.5 libmysqlclient-dev'
# no password prompt to install mysql-server
mysql_root=$(head -c 20 /dev/urandom | python -c 'import sys, base64; print base64.b32encode(sys.stdin.read())')
mysql_securedrop=$(head -c 20 /dev/urandom | python -c 'import sys, base64; print base64.b32encode(sys.stdin.read())')
sudo debconf-set-selections <<EOF
mysql-server-5.5 mysql-server/root_password password $mysql_root
mysql-server-5.5 mysql-server/root_password_again password $mysql_root
EOF
echo "Welcome to the SecureDrop setup script for Debian/Ubuntu."
# Since this script lives in the top level of the securedrop repository, it is
# natural to expect that users will have cloned the repo, cd'ed into it, and
# are now running ./setup_ubuntu.sh. We will check that this is the case, and
# if so can skip some later steps.
if [[ -d ".git" && -n `grep "securedrop" .git/config` ]]; then
cd .. # run this script in the directory *containing* the securedrop git repo
else
echo "You are not running this script inside the Securedrop repo."
echo "Do you need to clone the SecureDrop repo? [Y/N]"
read gitans
if [[ $gitans = 'y' || $gitans = 'Y' ]]; then
echo "Type the path of where you would like to clone it, and then push ENTER."
read sdpath
cd $sdpath
echo "If you are cloning from your own fork, type your Github username and push ENTER. If not, leave it blank and push ENTER."
read gitusername
if [[ $gitusername != "" ]]; then
echo "Cloning the repo from "$gitusername "..."
git clone https://github.com/$gitusername/securedrop.git
else
echo "Cloning the repo..."
git clone https://github.com/freedomofpress/securedrop.git
fi
fi
fi
if [ ! -d "securedrop" ]; then
echo "Couldn't find the securedrop repo... exiting!"
exit 1
fi
echo "Installing dependencies: "$DEPENDENCIES
sudo apt-get -y install $DEPENDENCIES
echo "Setting up MySQL database..."
mysql -u root -p"$mysql_root" -e "create database securedrop; GRANT ALL PRIVILEGES ON securedrop.* TO 'securedrop'@'localhost' IDENTIFIED BY '$mysql_securedrop';"
# continue working in the application directory
cd securedrop/securedrop
echo "Setting up the virtual environment..."
virtualenv env
source env/bin/activate
pip install --upgrade distribute
pip install -r source-requirements.txt
pip install -r document-requirements.txt
echo "Setting up configurations..."
# set up the securedrop root directory
cp example_config.py config.py
securedrop_root=$(pwd)/.securedrop
sed -i "s@ SECUREDROP_ROOT='/tmp/securedrop'@ SECUREDROP_ROOT='$securedrop_root'@" config.py
mkdir -p $securedrop_root/{store,keys,tmp}
keypath=$securedrop_root/keys
# avoid the "unsafe permissions on GPG homedir" warning
chmod 700 $keypath
# generate and store random values required by config.py
secret_key=$(python -c 'import os; print os.urandom(32).__repr__().replace("\\","\\\\")')
bcrypt_id_salt=$(python -c 'import bcrypt; print bcrypt.gensalt()')
bcrypt_gpg_salt=$(python -c 'import bcrypt; print bcrypt.gensalt()')
sed -i "s@ SECRET_KEY.*@ SECRET_KEY=$secret_key@" config.py
sed -i "s@^BCRYPT_ID_SALT.*@BCRYPT_ID_SALT='$bcrypt_id_salt'@" config.py
sed -i "s@^BCRYPT_GPG_SALT.*@BCRYPT_GPG_SALT='$bcrypt_gpg_salt'@" config.py
# initialize development database
# config.py will use sqlite by default, but we've set up a mysql database as
# part of this installation so it is very easy to switch to it.
# Also, MySQL-Python won't install (which breaks this script) unless mysql is installed.
sed -i "s@^# DATABASE_PASSWORD.*@# DATABASE_PASSWORD=\'$mysql_securedrop\'@" config.py
echo "Creating database tables..."
python -c 'import db; db.create_tables()'
echo ""
echo "You will need a journalist key for development."
echo "Would you like to generate one or use the key included?"
echo "If you're not familiar with gpg2, you ought to import the key."
echo "$bold$blue Use these keys for development and testing only, NEVER production."
echo $normalcolor
echo "Type 'g' and push ENTER to generate, otherwise leave blank and push ENTER."
read genkey
if [[ $genkey != "" ]]; then
echo "Generating new key."
gpg2 --homedir $keypath --gen-key
else
echo "Importing key included in the repo."
gpg2 --homedir $keypath --import test_journalist_key.*
fi
# get journalist key fingerpint from gpg2, remove spaces, and put into config file
journalistkey=$(gpg2 --homedir $keypath --fingerprint | grep fingerprint | cut -d"=" -f 2 | sed 's/ //g' | head -n 1)
echo "Using journalist key with fingerprint $journalistkey"
sed -i "s@^JOURNALIST_KEY.*@JOURNALIST_KEY='$journalistkey'@" config.py
echo ""
echo "Running unit tests... these should all pass!"
set +e # turn this flag off so we can checks if the tests failed
python test.py
if [[ $? != 0 ]]; then
echo "$bold$red It looks like something went wrong in your dev setup."
echo "Feel free to open an issue on Github: https://github.com/freedomofpress/securedrop/issues/new"
echo $normalcolor
fi
echo $bold$blue
echo "And you're done!"
echo $normalcolor
echo "To make sure everything works, try running the app in the development environment:"
echo "cd securedrop"
echo ". env/bin/activate"
echo "python source.py"
echo "python journalist.py"