From 586629b557119b64aa37526537a84ddc640b88fb Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 9 Jun 2022 15:13:23 -0400 Subject: [PATCH 01/14] Have `dev` default to nightlies, use qa-switch for release candidates * `make dev` now defaults to installing nightlies, which restores the old behavior before the apt-test component split. * Running qa-switch will now configure templates to use the "main" component, which is where release candidates go. * Fix the list of templates that qa-switch modifies, so it actually works. Co-authored-by: Cory Francis Myers --- dom0/fpf-apt-repo.sls | 2 +- dom0/sd-default-config.yml | 2 ++ tests/test_vms_platform.py | 4 ++-- utils/qa-switch.sh | 2 +- utils/qa-switch/buster.sls | 2 +- utils/qa-switch/sd-qa-config.yml | 2 ++ 6 files changed, 9 insertions(+), 5 deletions(-) diff --git a/dom0/fpf-apt-repo.sls b/dom0/fpf-apt-repo.sls index 66e5bb43..82052cf4 100644 --- a/dom0/fpf-apt-repo.sls +++ b/dom0/fpf-apt-repo.sls @@ -39,7 +39,7 @@ install-python-apt-for-repo-config: configure-fpf-apt-repo: pkgrepo.managed: - - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} main" + - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} {{ sdvars.component }}" - file: /etc/apt/sources.list.d/securedrop_workstation.list - key_url: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}" - clean_file: True # squash file to ensure there are no duplicates diff --git a/dom0/sd-default-config.yml b/dom0/sd-default-config.yml index 779fbb19..0060ca52 100644 --- a/dom0/sd-default-config.yml +++ b/dom0/sd-default-config.yml @@ -4,8 +4,10 @@ prod: dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25" apt_repo_url: "https://apt.freedom.press" signing_key_filename: "securedrop-release-signing-pubkey-2021.asc" + component: "main" # Development variables, suited for use during local development dev: dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" apt_repo_url: "https://apt-test.freedom.press" signing_key_filename: "apt-test-pubkey.asc" + component: "nightlies" diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index cd8d51f2..f116d9b9 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -12,8 +12,8 @@ apt_url = "" -FPF_APT_SOURCES_STRETCH_DEV = "deb [arch=amd64] https://apt-test.freedom.press stretch main" -FPF_APT_SOURCES_BUSTER_DEV = "deb [arch=amd64] https://apt-test.freedom.press buster main" +FPF_APT_SOURCES_STRETCH_DEV = "deb [arch=amd64] https://apt-test.freedom.press stretch nightlies" +FPF_APT_SOURCES_BUSTER_DEV = "deb [arch=amd64] https://apt-test.freedom.press buster nightlies" FPF_APT_SOURCES_STRETCH = "deb [arch=amd64] https://apt.freedom.press stretch main" FPF_APT_SOURCES_BUSTER = "deb [arch=amd64] https://apt.freedom.press buster main" APT_SOURCES_FILE = "/etc/apt/sources.list.d/securedrop_workstation.list" diff --git a/utils/qa-switch.sh b/utils/qa-switch.sh index 45fc725a..7559b453 100644 --- a/utils/qa-switch.sh +++ b/utils/qa-switch.sh @@ -14,7 +14,7 @@ cd /srv/salt echo Updating dom0... qubesctl --show-output --targets dom0 state.apply qa-switch.dom0 -export template_list="sd-app-buster-template sd-devices-buster-template sd-log-buster-template sd-proxy-buster-template sd-viewer-buster-template securedrop-workstation-buster whonix-gw-16" +export template_list="sd-large-buster-template sd-small-buster-template securedrop-workstation-buster whonix-gw-16" echo Updating Debian-based templates: for t in $template_list; do echo Updating $t...; qubesctl --show-output --skip-dom0 --targets $t state.apply qa-switch.buster; done diff --git a/utils/qa-switch/buster.sls b/utils/qa-switch/buster.sls index 0b519004..715dfd12 100644 --- a/utils/qa-switch/buster.sls +++ b/utils/qa-switch/buster.sls @@ -1,6 +1,6 @@ remove-prod-apt-repo: pkgrepo.absent: - - name: "deb [arch=amd64] https://apt.freedom.press buster main" + - name: "deb [arch=amd64] https://apt.freedom.press buster nightlies" add-test-apt-repo: pkgrepo.managed: diff --git a/utils/qa-switch/sd-qa-config.yml b/utils/qa-switch/sd-qa-config.yml index 4afde585..27bed3ff 100644 --- a/utils/qa-switch/sd-qa-config.yml +++ b/utils/qa-switch/sd-qa-config.yml @@ -4,8 +4,10 @@ prod: dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" apt_repo_url: "https://apt-test.freedom.press" signing_key_filename: "apt-test-pubkey.asc" + component: "main" # Development variables, suited for use during local development dev: dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" apt_repo_url: "https://apt-test.freedom.press" signing_key_filename: "apt-test-pubkey.asc" + component: "main" From 5ca18f3eb9009acfa5e5aa8d5a0e571f0551af5e Mon Sep 17 00:00:00 2001 From: Michael Z Date: Tue, 14 Jun 2022 19:37:02 -0400 Subject: [PATCH 02/14] Remove qa-switch It's a weird tool that we don't really use in our current strategy and would introduce unnecessary complexity if we want to keep compatibility with 4.0 and 4.1 at the same time as we have done so far. --- utils/qa-switch.sh | 29 --------------------- utils/qa-switch/buster.sls | 10 -------- utils/qa-switch/dom0.sls | 44 -------------------------------- utils/qa-switch/sd-qa-config.yml | 13 ---------- utils/qa-switch/top.sls | 33 ------------------------ 5 files changed, 129 deletions(-) delete mode 100644 utils/qa-switch.sh delete mode 100644 utils/qa-switch/buster.sls delete mode 100644 utils/qa-switch/dom0.sls delete mode 100644 utils/qa-switch/sd-qa-config.yml delete mode 100644 utils/qa-switch/top.sls diff --git a/utils/qa-switch.sh b/utils/qa-switch.sh deleted file mode 100644 index 7559b453..00000000 --- a/utils/qa-switch.sh +++ /dev/null @@ -1,29 +0,0 @@ -#!/usr/bin/bash - -# -# Updates securedrop templates and dom0 to use QA repos and -# template-consolidation component. -# -# - -if [[ $(id -u) -ne 0 ]] ; then echo "Please run as root" ; exit 1 ; fi - -cp -R `dirname "$0"`/qa-switch/ /srv/salt/ - -cd /srv/salt -echo Updating dom0... -qubesctl --show-output --targets dom0 state.apply qa-switch.dom0 - -export template_list="sd-large-buster-template sd-small-buster-template securedrop-workstation-buster whonix-gw-16" - -echo Updating Debian-based templates: -for t in $template_list; do echo Updating $t...; qubesctl --show-output --skip-dom0 --targets $t state.apply qa-switch.buster; done - -echo Replacing prod config YAML... - -if [ ! -f "/srv/salt/qa-switch/sd-default-config.yml.orig" ]; then - cp sd-default-config.yml qa-switch/sd-default-config.yml.orig -fi -cp qa-switch/sd-qa-config.yml sd-default-config.yml - -echo "Done! (Run this script after 'sudo qubes-dom0-update -y' to reapply)" diff --git a/utils/qa-switch/buster.sls b/utils/qa-switch/buster.sls deleted file mode 100644 index 715dfd12..00000000 --- a/utils/qa-switch/buster.sls +++ /dev/null @@ -1,10 +0,0 @@ -remove-prod-apt-repo: - pkgrepo.absent: - - name: "deb [arch=amd64] https://apt.freedom.press buster nightlies" - -add-test-apt-repo: - pkgrepo.managed: - - name: "deb [arch=amd64] https://apt-test.freedom.press buster main" - - file: /etc/apt/sources.list.d/securedrop_workstation.list - - key_url: "salt://sd/sd-workstation/apt-test-pubkey.asc" - - clean_file: True diff --git a/utils/qa-switch/dom0.sls b/utils/qa-switch/dom0.sls deleted file mode 100644 index 6b397267..00000000 --- a/utils/qa-switch/dom0.sls +++ /dev/null @@ -1,44 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -## -# Installs dom0 config scripts specific to tracking updates -# over time. These scripts should be ported to an RPM package. -## - -dom0-rpm-test-key: - file.managed: - # We write the pubkey to the repos config location, because the repos - # config location is automatically sent to dom0's UpdateVM. Otherwise, - # we must place the GPG key inside the fedora TemplateVM, then - # restart sys-firewall. - - name: /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation - - source: "salt://sd/sd-workstation/apt-test-pubkey.asc" - - user: root - - group: root - - mode: 644 - -dom0-rpm-test-key-import: - cmd.run: - - name: sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation - - require: - - file: dom0-rpm-test-key - -dom0-workstation-rpm-repo: - # We use file.managed rather than pkgrepo.managed, because Qubes dom0 - # settings write new repos to /etc/yum.real.repos.d/, but only /etc/yum.repos.d/ - # is copied to the UpdateVM for fetching dom0 packages. - file.managed: - - name: /etc/yum.repos.d/securedrop-workstation-dom0.repo - - user: root - - group: root - - mode: 644 - - contents: | - [securedrop-workstation-dom0] - gpgcheck=1 - gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation - enabled=1 - baseurl=https://yum-test.securedrop.org/workstation/dom0/f25 - name=SecureDrop Workstation Qubes dom0 repo - - require: - - file: dom0-rpm-test-key diff --git a/utils/qa-switch/sd-qa-config.yml b/utils/qa-switch/sd-qa-config.yml deleted file mode 100644 index 27bed3ff..00000000 --- a/utils/qa-switch/sd-qa-config.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Production variables, for use with real-world installs -prod: - dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" - apt_repo_url: "https://apt-test.freedom.press" - signing_key_filename: "apt-test-pubkey.asc" - component: "main" -# Development variables, suited for use during local development -dev: - dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" - apt_repo_url: "https://apt-test.freedom.press" - signing_key_filename: "apt-test-pubkey.asc" - component: "main" diff --git a/utils/qa-switch/top.sls b/utils/qa-switch/top.sls deleted file mode 100644 index f09282d3..00000000 --- a/utils/qa-switch/top.sls +++ /dev/null @@ -1,33 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set syntax=yaml ts=2 sw=2 sts=2 et : - -base: - dom0: - - sd-dom0-switch - - sd-log-buster-template: - - sd-buster-switch - sd-devices-buster-template: - - sd-buster-switch - sd-gpg: - - sd-buster-switch - sd-proxy-buster-template: - - sd-buster-switch - sd-app: - - sd-buster-switch - sd-viewer-buster-template: - - sd-buster-switch - sd-app-buster-template: - - sd-buster-switch - sys-firewall: - - sd-buster-switch - sd-whonix: - - sd-buster-switch - securedrop-workstation-buster: - - sd-buster-switch - sys-usb: - - sd-buster-switch - whonix-gw-16: - - sd-buster-switch - sd-log: - - sd-buster-switch From 69b4a9e3cd6eebf86751c0563cdc0764d0db2179 Mon Sep 17 00:00:00 2001 From: Michael Z Date: Tue, 14 Jun 2022 19:38:34 -0400 Subject: [PATCH 03/14] Make environments use all the expected repositories * dev environment uses apt-test nightlies repo for Debian, and yum-test for dom0 * staging environment uses apt-test main repo for Debian, and yum-test for dom0 * prod environment uses apt main repo for Debian and yum for dom0 --- dom0/sd-default-config.sls | 19 +++++++++++++++++-- dom0/sd-default-config.yml | 13 +++++++------ 2 files changed, 24 insertions(+), 8 deletions(-) diff --git a/dom0/sd-default-config.sls b/dom0/sd-default-config.sls index 3af56ee3..c0109cd6 100644 --- a/dom0/sd-default-config.sls +++ b/dom0/sd-default-config.sls @@ -14,8 +14,23 @@ {% import_json "sd/config.json" as d %} # Respect "dev" env if provided, default to "prod" -{% if d.environment == "dev" or d.environment == "staging" %} - {% set sdvars = sdvars_defaults["dev"] %} +{% if d.environment == "dev" %} + # use apt-test and nightlies + {% set sdvars = sdvars_defaults["test"] %} + {% set _ = sdvars.update({"component": "nightlies"}) %} +{% elif d.environment == "staging" %} + # use apt-test and main (RC/test builds) + {% set sdvars = sdvars_defaults["test"] %} + {% set _ = sdvars.update({"component": "main"}) %} {% else %} {% set sdvars = sdvars_defaults["prod"] %} + {% set _ = sdvars.update({"component": "main"}) %} {% endif %} + +# Append repo URL with appropriate dom0 Fedora version +{% if grains['osrelease'] == '4.1' %} + {% set fedora_repo = "f32" %} +{% else %} + {% set fedora_repo = "f24" %} +{% endif %} +{% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %} diff --git a/dom0/sd-default-config.yml b/dom0/sd-default-config.yml index 0060ca52..b294fca3 100644 --- a/dom0/sd-default-config.yml +++ b/dom0/sd-default-config.yml @@ -1,13 +1,14 @@ --- +# Both prod.dom0_yum_repo_url and test.dom0_yum_repo_url will be appended to with +# the respective Fedora release depending on Qubes OS version +# # Production variables, for use with real-world installs prod: - dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/f25" + dom0_yum_repo_url: "https://yum.securedrop.org/workstation/dom0/" apt_repo_url: "https://apt.freedom.press" signing_key_filename: "securedrop-release-signing-pubkey-2021.asc" - component: "main" -# Development variables, suited for use during local development -dev: - dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/f25" +# Staging and Dev variables, for QAing and local development +test: + dom0_yum_repo_url: "https://yum-test.securedrop.org/workstation/dom0/" apt_repo_url: "https://apt-test.freedom.press" signing_key_filename: "apt-test-pubkey.asc" - component: "nightlies" From a4a023250c5637ba98c6ef3b8b695154fd996617 Mon Sep 17 00:00:00 2001 From: Michael Z Date: Wed, 15 Jun 2022 13:01:05 -0400 Subject: [PATCH 04/14] Use bullseye template on 4.1 and buster template on 4.0 --- dom0/fpf-apt-repo.sls | 3 +++ dom0/sd-app-files.sls | 6 +++--- dom0/sd-app.sls | 16 +++++++++------ dom0/sd-default-config.sls | 8 +++++--- dom0/sd-devices.sls | 20 +++++++++++-------- dom0/sd-dom0-files.sls | 4 ++-- dom0/sd-gpg.sls | 7 +++++-- dom0/sd-log.sls | 10 +++++++--- dom0/sd-logging-setup.sls | 4 ++-- dom0/sd-proxy.sls | 9 ++++++--- dom0/sd-usb-autoattach-add.sls | 10 ++++++++++ dom0/sd-viewer.sls | 11 +++++++---- dom0/sd-whonix.sls | 5 ++++- dom0/sd-workstation-template.sls | 27 ++++++++++++++----------- dom0/sd-workstation.top | 19 ++++++++---------- scripts/provision-all | 5 ++++- scripts/sdw-admin.py | 7 ++++++- tests/test_dom0_config.py | 11 ++++++++--- tests/test_vms_exist.py | 34 ++++++++++++++++++-------------- tests/test_vms_platform.py | 25 +++++++++++++++-------- 20 files changed, 153 insertions(+), 88 deletions(-) diff --git a/dom0/fpf-apt-repo.sls b/dom0/fpf-apt-repo.sls index 82052cf4..bb32033e 100644 --- a/dom0/fpf-apt-repo.sls +++ b/dom0/fpf-apt-repo.sls @@ -13,6 +13,7 @@ # - update.qubes-vm # - sd-default-config +# Imports "sdvars" for environment config {% from 'sd-default-config.sls' import sdvars with context %} # Debian Buster was changed from 'stable' to 'oldstable' on 2021-08, @@ -39,6 +40,8 @@ install-python-apt-for-repo-config: configure-fpf-apt-repo: pkgrepo.managed: + # Can't reuse sdvars.distribution here because this queries grains from VMs + # rather than dom0 - name: "deb [arch=amd64] {{ sdvars.apt_repo_url }} {{ grains['oscodename'] }} {{ sdvars.component }}" - file: /etc/apt/sources.list.d/securedrop_workstation.list - key_url: "salt://sd/sd-workstation/{{ sdvars.signing_key_filename }}" diff --git a/dom0/sd-app-files.sls b/dom0/sd-app-files.sls index 408c07b7..e9bb8ea2 100644 --- a/dom0/sd-app-files.sls +++ b/dom0/sd-app-files.sls @@ -5,15 +5,15 @@ # sd-app-files # ======== # -# Moves files into place on sd-small-buster-template +# Moves files into place on sd-small-$sdvars.distribution-template # ## include: - fpf-apt-repo - sd-logging-setup -# FPF repo is setup in "securedrop-workstation-buster" template, -# and then cloned as "sd-small-buster-template" +# FPF repo is setup in "securedrop-workstation-$sdvars.distribution" template, +# and then cloned as "sd-small-$sdvars.distribution-template" install-securedrop-client-package: pkg.installed: - pkgs: diff --git a/dom0/sd-app.sls b/dom0/sd-app.sls index e40179d1..1a412604 100644 --- a/dom0/sd-app.sls +++ b/dom0/sd-app.sls @@ -5,6 +5,10 @@ # Installs 'sd-app' AppVM, to persistently store SD data # This VM has no network configured. ## + +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -15,7 +19,7 @@ sd-app: - present: - label: yellow - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: "" - tags: - add: @@ -25,7 +29,7 @@ sd-app: - enable: - service.paxctld - require: - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template {% import_json "sd/config.json" as d %} @@ -42,9 +46,9 @@ sd-app-private-volume-size: sd-app-template-sync-appmenus: cmd.run: - name: > - qvm-start --skip-if-running sd-small-buster-template && - qvm-sync-appmenus sd-small-buster-template + qvm-start --skip-if-running sd-small-{{ sdvars.distribution }}-template && + qvm-sync-appmenus sd-small-{{ sdvars.distribution }}-template - require: - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template - onchanges: - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template diff --git a/dom0/sd-default-config.sls b/dom0/sd-default-config.sls index c0109cd6..9a758d90 100644 --- a/dom0/sd-default-config.sls +++ b/dom0/sd-default-config.sls @@ -17,20 +17,22 @@ {% if d.environment == "dev" %} # use apt-test and nightlies {% set sdvars = sdvars_defaults["test"] %} - {% set _ = sdvars.update({"component": "nightlies"}) %} + {% set _ = sdvars.update({"component": "nightlies"}) %} {% elif d.environment == "staging" %} # use apt-test and main (RC/test builds) {% set sdvars = sdvars_defaults["test"] %} - {% set _ = sdvars.update({"component": "main"}) %} + {% set _ = sdvars.update({"component": "main"}) %} {% else %} {% set sdvars = sdvars_defaults["prod"] %} - {% set _ = sdvars.update({"component": "main"}) %} + {% set _ = sdvars.update({"component": "main"}) %} {% endif %} # Append repo URL with appropriate dom0 Fedora version {% if grains['osrelease'] == '4.1' %} {% set fedora_repo = "f32" %} + {% set _ = sdvars.update({"distribution": "bullseye"}) %} {% else %} {% set fedora_repo = "f24" %} + {% set _ = sdvars.update({"distribution": "buster"}) %} {% endif %} {% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %} diff --git a/dom0/sd-devices.sls b/dom0/sd-devices.sls index 24183252..945b21c0 100644 --- a/dom0/sd-devices.sls +++ b/dom0/sd-devices.sls @@ -5,6 +5,10 @@ # Installs 'sd-devices' AppVM, to persistently store SD data # This VM has no network configured. ## + +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -13,33 +17,33 @@ sd-devices-dvm: qvm.vm: - name: sd-devices-dvm - present: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - label: red - prefs: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - netvm: "" - template_for_dispvms: True - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - features: - enable: - service.paxctld - require: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template # Ensure the Qubes menu is populated with relevant app entries, # so that Nautilus/Files can be started via GUI interactions. sd-devices-template-sync-appmenus: cmd.run: - name: > - qvm-start --skip-if-running sd-large-buster-template && - qvm-sync-appmenus sd-large-buster-template + qvm-start --skip-if-running sd-large-{{ sdvars.distribution }}-template && + qvm-sync-appmenus sd-large-{{ sdvars.distribution }}-template - require: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template - onchanges: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template sd-devices-create-named-dispvm: qvm.vm: diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls index 9031e424..83eec636 100644 --- a/dom0/sd-dom0-files.sls +++ b/dom0/sd-dom0-files.sls @@ -78,11 +78,11 @@ dom0-install-securedrop-workstation-template: {% if grains['osrelease'] == '4.1' %} cmd.run: - name: > - qvm-template install securedrop-workstation-buster + qvm-template install securedrop-workstation-{{ sdvars.distribution }} {% else %} pkg.installed: - pkgs: - - qubes-template-securedrop-workstation-buster + - qubes-template-securedrop-workstation-{{ sdvars.distribution }} {% endif %} - require: - file: dom0-workstation-rpm-repo diff --git a/dom0/sd-gpg.sls b/dom0/sd-gpg.sls index 41706c65..9ef086c3 100644 --- a/dom0/sd-gpg.sls +++ b/dom0/sd-gpg.sls @@ -9,6 +9,9 @@ # This VM has no network configured. ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -17,10 +20,10 @@ sd-gpg: qvm.vm: - name: sd-gpg - present: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - label: purple - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: "" - autostart: true - tags: diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index cc0bf664..97b593f2 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -6,6 +6,10 @@ # from all SecureDrop related VMs. # This VM has no network configured. ## + +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -14,10 +18,10 @@ sd-log: qvm.vm: - name: sd-log - present: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - label: red - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: "" - autostart: true - tags: @@ -29,7 +33,7 @@ sd-log: - service.redis - service.securedrop-log - require: - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template {% if grains['osrelease'] == '4.0' %} # Allow any SecureDrop VM to log to the centralized log VM diff --git a/dom0/sd-logging-setup.sls b/dom0/sd-logging-setup.sls index 274b3f24..5d157f98 100644 --- a/dom0/sd-logging-setup.sls +++ b/dom0/sd-logging-setup.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : -{% if grains['id'] in ["securedrop-workstation-buster", "sd-small-buster-template", "sd-large-buster-template"] %} +{% if grains['id'] in ["securedrop-workstation-{}".format(grains['oscodename']), "sd-small-{}-template".format(grains['oscodename']), "sd-large-{}-template".format(grains['oscodename'])] %} include: - fpf-apt-repo @@ -21,7 +21,7 @@ configure-rsyslog-for-sd: {% endif %} -{% if grains['id'] == "sd-small-buster-template" %} +{% if grains['id'] == "sd-small-{}-template".format(grains['oscodename']) %} install-redis-for-sd-log-template: pkg.installed: - pkgs: diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls index 9e50c4d7..7636f4d4 100644 --- a/dom0/sd-proxy.sls +++ b/dom0/sd-proxy.sls @@ -6,6 +6,9 @@ # and the SecureDrop servers. ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-whonix - sd-upgrade-templates @@ -16,16 +19,16 @@ sd-proxy: - present: - label: blue - prefs: - - template: sd-small-buster-template + - template: sd-small-{{ sdvars.distribution }}-template - netvm: sd-whonix - autostart: true - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - require: - qvm: sd-whonix - - qvm: sd-small-buster-template + - qvm: sd-small-{{ sdvars.distribution }}-template # Permit the SecureDrop Proxy to manage Client connections sd-proxy-dom0-securedrop.Proxy: diff --git a/dom0/sd-usb-autoattach-add.sls b/dom0/sd-usb-autoattach-add.sls index 86e4a861..4c4632b4 100644 --- a/dom0/sd-usb-autoattach-add.sls +++ b/dom0/sd-usb-autoattach-add.sls @@ -6,6 +6,15 @@ # USB devices to sd-devices. ## +# If sys-usb is disposable, we have already set up sd-fedora-dvm to make our +# modifications in, so we only want to modify sys-usb if it is a regular AppVM + +{% set apply = True %} +{% if grains['id'] == 'sys-usb' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} + {% set apply = False %} +{% endif %} + +{% if apply %} sd-udev-rules: file.managed: - name: /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules @@ -39,3 +48,4 @@ sd-attach-export-device: - user: root - group: root - mode: 0555 +{% endif %} diff --git a/dom0/sd-viewer.sls b/dom0/sd-viewer.sls index 414422c9..d28e157d 100644 --- a/dom0/sd-viewer.sls +++ b/dom0/sd-viewer.sls @@ -11,6 +11,9 @@ # This VM has no network configured. ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-workstation-template - sd-upgrade-templates @@ -19,10 +22,10 @@ sd-viewer: qvm.vm: - name: sd-viewer - present: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - label: green - prefs: - - template: sd-large-buster-template + - template: sd-large-{{ sdvars.distribution }}-template - netvm: "" - template_for_dispvms: True - default_dispvm: "" @@ -30,12 +33,12 @@ sd-viewer: - add: - sd-workstation - sd-viewer-vm - - sd-buster + - sd-{{ sdvars.distribution }} - features: - enable: - service.paxctld - require: - - qvm: sd-large-buster-template + - qvm: sd-large-{{ sdvars.distribution }}-template sd-viewer-default-dispvm: cmd.run: diff --git a/dom0/sd-whonix.sls b/dom0/sd-whonix.sls index 8c788ff2..9f9c09aa 100644 --- a/dom0/sd-whonix.sls +++ b/dom0/sd-whonix.sls @@ -11,6 +11,9 @@ # ## +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-upgrade-templates @@ -29,6 +32,6 @@ sd-whonix: - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - require: - sls: sd-upgrade-templates diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls index 9cb3e25b..4d8c28ae 100644 --- a/dom0/sd-workstation-template.sls +++ b/dom0/sd-workstation-template.sls @@ -1,20 +1,23 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : +# Imports "sdvars" for environment config +{% from 'sd-default-config.sls' import sdvars with context %} + include: - sd-dom0-files # Sets virt_mode and kernel to use custom hardened kernel. sd-workstation-template: qvm.vm: - - name: securedrop-workstation-buster + - name: securedrop-workstation-{{ sdvars.distribution }} - prefs: - virt-mode: hvm - kernel: '' - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - sd-workstation-updates - features: - enable: @@ -27,34 +30,34 @@ sd-workstation-template: {% endif %} # Installs consolidated templateVMs: -# - sd-small-buster-template, to be used for +# - sd-small-{{ sdvars.distribution }}-template, to be used for # sd-app, sd-gpg, sd-log, and sd-proxy -# - sd-large-buster-template, to be used for +# - sd-large-{{ sdvars.distribution }}-template, to be used for # sd-export and sd-viewer -sd-small-buster-template: +sd-small-{{ sdvars.distribution }}-template: qvm.vm: - - name: sd-small-buster-template + - name: sd-small-{{ sdvars.distribution }}-template - clone: - - source: securedrop-workstation-buster + - source: securedrop-workstation-{{ sdvars.distribution }} - label: red - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - sd-workstation-updates - require: - qvm: sd-workstation-template -sd-large-buster-template: +sd-large-{{ sdvars.distribution }}-template: qvm.vm: - - name: sd-large-buster-template + - name: sd-large-{{ sdvars.distribution }}-template - clone: - - source: securedrop-workstation-buster + - source: securedrop-workstation-{{ sdvars.distribution }} - label: red - tags: - add: - sd-workstation - - sd-buster + - sd-{{ sdvars.distribution }} - sd-workstation-updates - require: - qvm: sd-workstation-template diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index b933ace3..bbf41eb2 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -20,12 +20,14 @@ base: - sd-whonix - sd-remove-unused-templates - sd-small-buster-template: + '^sd-small-(buster|bullseye)-template$': + - match: pcre - sd-logging-setup - sd-workstation-template-files - sd-app-files - sd-proxy-template-files - sd-large-buster-template: + '^sd-large-(buster|bullseye)-template$': + - match: pcre - sd-logging-setup - sd-workstation-template-files - sd-devices-files @@ -38,17 +40,12 @@ base: - sd-mime-handling sd-whonix: - sd-whonix-hidserv-key - securedrop-workstation-buster: + '^securedrop-workstation-(buster|bullseye)$': + - match: pcre - sd-workstation-template-files - sd-logging-setup -# Depending on whether sys-usb is disposable or not, we want to -# modify different qubes. If sd-fedora-dvm will only be -# created by sd-sys-vms.sls if sys-usb is disposable. -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} - sd-fedora-dvm: -{% else %} - sys-usb: -{% endif %} + 'sd-fedora-dvm,sys-usb': + - match: list - sd-usb-autoattach-add sd-log: - sd-logging-setup diff --git a/scripts/provision-all b/scripts/provision-all index f4816ac5..01885504 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -17,7 +17,10 @@ echo "Set up dom0 config files, including RPC policies, and create VMs" sudo qubesctl --show-output state.highstate echo "Set up logging VMs early" -sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-buster-template state.highstate +grep -q "R4.1" /etc/qubes-release && \ + sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-bullseye-template state.highstate || \ + sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-buster-template state.highstate + # Reboot sd-log so it's ready to receive logs from other VMs about to be configured qvm-shutdown --wait sd-log && qvm-start sd-log diff --git a/scripts/sdw-admin.py b/scripts/sdw-admin.py index 9c8c3953..5537335f 100755 --- a/scripts/sdw-admin.py +++ b/scripts/sdw-admin.py @@ -15,6 +15,11 @@ sys.path.insert(1, os.path.join(SCRIPTS_PATH, "scripts/")) from validate_config import SDWConfigValidator, ValidationError # noqa: E402 +DEBIAN_VERSION = "bullseye" +with open("/etc/qubes-release") as qubes_release: + if "R4.0" in qubes_release.read(): + DEBIAN_VERSION = "buster" + def parse_args(): parser = argparse.ArgumentParser() @@ -116,7 +121,7 @@ def perform_uninstall(keep_template_rpm=False): print("Reverting dom0 configuration") subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-all"]) subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/clean-salt")]) - if not keep_template_rpm: + if not keep_template_rpm and DEBIAN_VERSION == "buster": print("Uninstalling Template") subprocess.check_call( [ diff --git a/tests/test_dom0_config.py b/tests/test_dom0_config.py index de42f553..562f3300 100644 --- a/tests/test_dom0_config.py +++ b/tests/test_dom0_config.py @@ -17,12 +17,17 @@ "sd-log-buster-template", ] +DEBIAN_VERSION = "bullseye" +with open("/etc/qubes-release") as qubes_release: + if "R4.0" in qubes_release.read(): + DEBIAN_VERSION = "buster" + VMS_TO_UPDATE = [ - "sd-large-buster-template", - "sd-small-buster-template", + "sd-large-{}-template".format(DEBIAN_VERSION), + "sd-small-{}-template".format(DEBIAN_VERSION), "whonix-ws-16", "whonix-gw-16", - "securedrop-workstation-buster", + "securedrop-workstation-{}".format(DEBIAN_VERSION), ] diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index 3911cb62..90cc4999 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -7,6 +7,11 @@ EXPECTED_KERNEL_VERSION = "4.14.241-grsec-workstation" +DEBIAN_VERSION = "bullseye" +with open("/etc/qubes-release") as qubes_release: + if "R4.0" in qubes_release.read(): + DEBIAN_VERSION = "buster" + class SD_VM_Tests(unittest.TestCase): def setUp(self): @@ -40,9 +45,8 @@ def _check_kernel(self, vm): # kernel module anymore # This portion of the test assumes that 4.1 is always used with templates that use # repositories for 4.1 (in our case, bullseye based templates) - with open("/etc/qubes-release") as qubes_release: - if "R4.1" in qubes_release.read(): - return + if DEBIAN_VERSION == "bullseye": + return u2mfn_filepath = "/usr/lib/modules/{}/updates/dkms/u2mfn.ko".format(EXPECTED_KERNEL_VERSION) # cmd will raise exception if file not found @@ -76,7 +80,7 @@ def test_sd_proxy_config(self): vm = self.app.domains["sd-proxy"] nvm = vm.netvm self.assertTrue(nvm.name == "sd-whonix") - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -86,7 +90,7 @@ def test_sd_app_config(self): vm = self.app.domains["sd-app"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) self._check_kernel(vm) @@ -104,7 +108,7 @@ def test_sd_viewer_config(self): vm = self.app.domains["sd-viewer"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-large-buster-template") + self.assertTrue(vm.template == "sd-large-{}-template".format(DEBIAN_VERSION)) self.assertFalse(vm.provides_network) self.assertTrue(vm.template_for_dispvms) # sd-viewer should not be able to create other disposable VMs @@ -118,7 +122,7 @@ def test_sd_gpg_config(self): nvm = vm.netvm self.assertTrue(nvm is None) # No sd-gpg-template, since keyring is managed in $HOME - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -129,7 +133,7 @@ def test_sd_log_config(self): vm = self.app.domains["sd-log"] nvm = vm.netvm self.assertTrue(nvm is None) - self.assertTrue(vm.template == "sd-small-buster-template") + self.assertTrue(vm.template == "sd-small-{}-template".format(DEBIAN_VERSION)) self.assertTrue(vm.autostart is True) self.assertFalse(vm.provides_network) self.assertFalse(vm.template_for_dispvms) @@ -146,7 +150,7 @@ def test_sd_log_config(self): self.assertEqual(vol.size, size * 1024 * 1024 * 1024) def test_sd_workstation_template(self): - vm = self.app.domains["securedrop-workstation-buster"] + vm = self.app.domains["securedrop-workstation-{}".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue(vm.virt_mode == "hvm") @@ -156,27 +160,27 @@ def test_sd_workstation_template(self): self._check_service_running(vm, "paxctld") def test_sd_proxy_template(self): - vm = self.app.domains["sd-small-buster-template"] + vm = self.app.domains["sd-small-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) def sd_app_template(self): - vm = self.app.domains["sd-small-buster-template"] + vm = self.app.domains["sd-small-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) self._check_kernel(vm) def sd_viewer_template(self): - vm = self.app.domains["sd-large-buster-template"] + vm = self.app.domains["sd-large-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) self.assertTrue(vm.template_for_dispvms) def sd_export_template(self): - vm = self.app.domains["sd-large-buster-template"] + vm = self.app.domains["sd-large-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) @@ -200,7 +204,7 @@ def sd_export(self): self._check_kernel(vm) def sd_small_template(self): - vm = self.app.domains["sd-small-buster-template"] + vm = self.app.domains["sd-small-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) @@ -208,7 +212,7 @@ def sd_small_template(self): self._check_kernel(vm) def sd_large_template(self): - vm = self.app.domains["sd-large-buster-template"] + vm = self.app.domains["sd-large-{}-template".format(DEBIAN_VERSION)] nvm = vm.netvm self.assertTrue(nvm is None) self.assertTrue("sd-workstation" in vm.tags) diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index f116d9b9..31d7e2a6 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -6,16 +6,18 @@ from base import WANTED_VMS, CURRENT_FEDORA_TEMPLATE -SUPPORTED_SD_PLATFORMS = ["Debian GNU/Linux 10 (buster)"] +with open("/etc/qubes-release") as qubes_release: + if "R4.1" in qubes_release.read(): + SUPPORTED_SD_PLATFORMS = ["Debian GNU/Linux 11 (bullseye)"] + else: + SUPPORTED_SD_PLATFORMS = ["Debian GNU/Linux 10 (buster)"] SUPPORTED_WHONIX_PLATFORMS = ["Debian GNU/Linux 11 (bullseye)"] apt_url = "" -FPF_APT_SOURCES_STRETCH_DEV = "deb [arch=amd64] https://apt-test.freedom.press stretch nightlies" -FPF_APT_SOURCES_BUSTER_DEV = "deb [arch=amd64] https://apt-test.freedom.press buster nightlies" -FPF_APT_SOURCES_STRETCH = "deb [arch=amd64] https://apt.freedom.press stretch main" -FPF_APT_SOURCES_BUSTER = "deb [arch=amd64] https://apt.freedom.press buster main" +FPF_APT_TEST_SOURCES = "deb [arch=amd64] https://apt-test.freedom.press {dist} {component}" +FPF_APT_SOURCES = "deb [arch=amd64] https://apt.freedom.press {dist} {component}" APT_SOURCES_FILE = "/etc/apt/sources.list.d/securedrop_workstation.list" @@ -27,10 +29,17 @@ def setUp(self): if "environment" not in config: config["environment"] = "dev" + if "buster" in SUPPORTED_SD_PLATFORMS: + dist = "buster" + elif "bullseye" in SUPPORTED_SD_PLATFORMS: + dist = "bullseye" + if config["environment"] == "prod": - self.apt_url = FPF_APT_SOURCES_BUSTER + self.apt_url = FPF_APT_SOURCES.format(dist=dist, component="main") + elif config["environment"] == "staging": + self.apt_url = FPF_APT_TEST_SOURCES.format(dist=dist, component="main") else: - self.apt_url = FPF_APT_SOURCES_BUSTER_DEV + self.apt_url = FPF_APT_TEST_SOURCES.format(dist=dist, component="nightlies") def tearDown(self): pass @@ -76,7 +85,7 @@ def _validate_apt_sources(self, vm): contents = stdout.decode("utf-8").rstrip("\n") self.assertTrue(self.apt_url in contents) - self.assertFalse(FPF_APT_SOURCES_STRETCH in contents) + self.assertFalse(FPF_APT_SOURCES.format(dist="stretch", component="main") in contents) # Old alpha URL for apt repo should be absent self.assertFalse("apt-test-qubes.freedom.press" in contents) From 2225bfa693a63e2bbbcb87743a23691138c906eb Mon Sep 17 00:00:00 2001 From: Michael Z Date: Wed, 15 Jun 2022 16:15:25 -0400 Subject: [PATCH 05/14] Bootstrap fedora-$version-dvm and sd-fedora-dvm `fedora-35-dvm` does not magically come into existence just by installing the `fedora-35` template, but we do want to update the sys-vms that use disposable templates to the most recent Fedora template we support, so we just create it before updating the qube preferences. We also create `sd-fedora-dvm`, which we need to customize to support consistent USB auto-attach to sd-devices --- dom0/sd-sys-vms.sls | 58 +++++++++++++++++++++++++++++++-------------- 1 file changed, 40 insertions(+), 18 deletions(-) diff --git a/dom0/sd-sys-vms.sls b/dom0/sd-sys-vms.sls index f4886feb..d65e866e 100644 --- a/dom0/sd-sys-vms.sls +++ b/dom0/sd-sys-vms.sls @@ -71,35 +71,54 @@ set-fedora-default-template-version: {% endif %} - sls: qvm.default-dispvm -# sys-usb qubes are disposable in the default configuration - instead of forcing -# users to turn sys-usb into an AppVM, we're just cloning the DispVM template to -# make our changes to allow auto-attaching USB drives. -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} -clone-dispvm-for-sys-usb-customization: - cmd.run: - - name: > - qvm-check sd-fedora-dvm || qvm-clone {{ sd_supported_fedora_version }}-dvm sd-fedora-dvm +# On 4.1, several sys qubes are disposable by default - since we also want to +# upgrade the templates for those, we need to ensure that the respective dvms +# exist, as just installing a new template won't create a DispVM template +# automatically. +# sys-usb is also disposable by default but a special case as we want to +# customize the underlying DispVM template for usability purposes: we want to +# consistently auto-attach USB devices to our sd-devices qube +{% if grains['osrelease'] == '4.1' %} +{% set required_dispvms = [ sd_supported_fedora_version + '-dvm' ] %} +{% if salt['pillar.get']('qvm:sys-usb:disposable', true) %} + {% set _ = required_dispvms.append("sd-fedora-dvm") %} +{% endif %} + +{% for required_dispvm in required_dispvms %} +create-{{ required_dispvm }}: + qvm.vm: + - name: {{ required_dispvm }} + - present: + - template: {{ sd_supported_fedora_version }} + - label: red + - prefs: + - template: {{ sd_supported_fedora_version }} + - template_for_dispvms: True +{% if required_dispvm == 'sd-fedora-dvm' %} + - netvm: "" +{% endif %} - require: - cmd: dom0-install-fedora-template +{% endfor %} {% endif %} # Now proceed with rebooting all the sys-* VMs, since the new template is up to date. {% for sys_vm in ['sys-usb', 'sys-net', 'sys-firewall'] %} -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:'+sys_vm+':disposable', false) %} +{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:' + sys_vm + ':disposable', false) %} # As of Qubes 4.1, certain sys-* VMs will be DispVMs by default. -{% if sys_vm == 'sys-usb' %} -# If sys-usb is disposable, we want it to use the template we just cloned so we -# can customize it -{% set sd_supported_fedora_template = 'sd-fedora-dvm' %} + {% if sys_vm == 'sys-usb' %} + # If sys-usb is disposable, we want it to use the template we just created so we + # can customize it later in the process + {% set sd_supported_fedora_template = 'sd-fedora-dvm' %} + {% else %} + {% set sd_supported_fedora_template = sd_supported_fedora_version + '-dvm' %} + {% endif %} {% else %} -{% set sd_supported_fedora_template = sd_supported_fedora_version+'-dvm' %} + {% set sd_supported_fedora_template = sd_supported_fedora_version %} {% endif %} -{% else %} -{% set sd_supported_fedora_template = sd_supported_fedora_version %} -{% endif %} -{% if salt['cmd.shell']('qvm-prefs '+sys_vm+' template') != sd_supported_fedora_template %} +{% if salt['cmd.shell']('qvm-prefs ' + sys_vm + ' template') != sd_supported_fedora_template %} sd-{{ sys_vm }}-fedora-version-halt: qvm.kill: - name: {{ sys_vm }} @@ -127,6 +146,9 @@ sd-{{ sys_vm }}-fedora-version-update: - template: {{ sd_supported_fedora_template }} - require: - cmd: sd-{{ sys_vm }}-fedora-version-halt-wait +{% if sd_supported_fedora_template.endswith("-dvm") %} + - qvm: create-{{ sd_supported_fedora_template }} +{% endif %} sd-{{ sys_vm }}-fedora-version-start: qvm.start: From c6c62d026a3795ef8025fcc0ac41d15d35ee6ea5 Mon Sep 17 00:00:00 2001 From: Cory Francis Myers Date: Thu, 16 Jun 2022 17:42:50 -0700 Subject: [PATCH 06/14] test: parameterize Fedora version on detected Qubes version --- tests/test_dom0_rpm_repo.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/tests/test_dom0_rpm_repo.py b/tests/test_dom0_rpm_repo.py index 99cb395b..5362e583 100644 --- a/tests/test_dom0_rpm_repo.py +++ b/tests/test_dom0_rpm_repo.py @@ -2,6 +2,14 @@ import unittest +DEBIAN_VERSION = "bullseye" +FEDORA_VERSION = "f32" +with open("/etc/qubes-release") as qubes_release: + if "R4.0" in qubes_release.read(): + DEBIAN_VERSION = "buster" + FEDORA_VERSION = "f25" + + class SD_Dom0_Rpm_Repo_Tests(unittest.TestCase): pubkey_wanted = "" @@ -9,8 +17,8 @@ class SD_Dom0_Rpm_Repo_Tests(unittest.TestCase): pubkey_actual = "/etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation" # noqa pubkey_wanted_prod = "sd-workstation/securedrop-release-signing-pubkey-2021.asc" pubkey_wanted_test = "sd-workstation/apt-test-pubkey.asc" - yum_repo_url_prod = "https://yum.securedrop.org/workstation/dom0/f25" - yum_repo_url_test = "https://yum-test.securedrop.org/workstation/dom0/f25" + yum_repo_url_prod = f"https://yum.securedrop.org/workstation/dom0/{FEDORA_VERSION}" + yum_repo_url_test = f"https://yum-test.securedrop.org/workstation/dom0/{FEDORA_VERSION}" def setUp(self): # Enable full diff output in test report, to aid in debugging From 0fdbed41f6673eefa1db60f4159d294f7dd597fe Mon Sep 17 00:00:00 2001 From: Cory Francis Myers Date: Thu, 16 Jun 2022 17:46:22 -0700 Subject: [PATCH 07/14] test: parameterize expected kernel and platform on Debian bullseye (default) versus buster --- tests/test_vms_exist.py | 4 ++-- tests/test_vms_platform.py | 17 +++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index 90cc4999..e8341e6d 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -5,12 +5,12 @@ from base import WANTED_VMS -EXPECTED_KERNEL_VERSION = "4.14.241-grsec-workstation" - DEBIAN_VERSION = "bullseye" +EXPECTED_KERNEL_VERSION = "5.15.41-grsec-workstation" with open("/etc/qubes-release") as qubes_release: if "R4.0" in qubes_release.read(): DEBIAN_VERSION = "buster" + EXPECTED_KERNEL_VERSION = "4.14.241-grsec-workstation" class SD_VM_Tests(unittest.TestCase): diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index 31d7e2a6..1d8e921f 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -6,13 +6,15 @@ from base import WANTED_VMS, CURRENT_FEDORA_TEMPLATE +BULLSEYE_STRING = "Debian GNU/Linux 11 (bullseye)" +BUSTER_STRING = "Debian GNU/Linux 10 (buster)" + +SUPPORTED_SD_PLATFORMS = [BULLSEYE_STRING] with open("/etc/qubes-release") as qubes_release: - if "R4.1" in qubes_release.read(): - SUPPORTED_SD_PLATFORMS = ["Debian GNU/Linux 11 (bullseye)"] - else: - SUPPORTED_SD_PLATFORMS = ["Debian GNU/Linux 10 (buster)"] + if "R4.0" in qubes_release.read(): + SUPPORTED_SD_PLATFORMS = [BUSTER_STRING] -SUPPORTED_WHONIX_PLATFORMS = ["Debian GNU/Linux 11 (bullseye)"] +SUPPORTED_WHONIX_PLATFORMS = [BULLSEYE_STRING] apt_url = "" @@ -29,10 +31,9 @@ def setUp(self): if "environment" not in config: config["environment"] = "dev" - if "buster" in SUPPORTED_SD_PLATFORMS: + dist = "bullseye" + if BUSTER_STRING in SUPPORTED_SD_PLATFORMS: dist = "buster" - elif "bullseye" in SUPPORTED_SD_PLATFORMS: - dist = "bullseye" if config["environment"] == "prod": self.apt_url = FPF_APT_SOURCES.format(dist=dist, component="main") From d3c00c04af66eb67a5dca5eebdcce07ed4b2e3b1 Mon Sep 17 00:00:00 2001 From: Michael Z Date: Tue, 21 Jun 2022 17:27:11 -0400 Subject: [PATCH 08/14] test: Update keyring output and sd-export package dependency checks --- tests/test_sd_devices.py | 1 + tests/test_vms_platform.py | 9 ++------- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/tests/test_sd_devices.py b/tests/test_sd_devices.py index a4e00bc8..c0041fa3 100644 --- a/tests/test_sd_devices.py +++ b/tests/test_sd_devices.py @@ -17,6 +17,7 @@ def test_files_are_properly_copied(self): def test_sd_export_package_installed(self): self.assertTrue(self._package_is_installed("cryptsetup")) self.assertTrue(self._package_is_installed("printer-driver-brlaser")) + self.assertTrue(self._package_is_installed("printer-driver-hpcups")) self.assertTrue(self._package_is_installed("securedrop-export")) self.assertTrue(self._package_is_installed("gnome-disk-utility")) diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index 1d8e921f..9ef509ff 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -154,15 +154,10 @@ def _ensure_keyring_package_exists_and_has_correct_key(self, vm): results = stdout.rstrip().decode("utf-8") fpf_gpg_pub_key_info = """/etc/apt/trusted.gpg.d/securedrop-keyring.gpg --------------------------------------------- -pub rsa4096 2016-10-20 [SC] [expired: 2021-06-30] - 2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77 -uid [ expired] SecureDrop Release Signing Key -uid [ expired] SecureDrop Release Signing Key - -pub rsa4096 2021-05-10 [SC] [expires: 2022-07-04] +pub rsa4096 2021-05-10 [SC] [expires: 2023-07-04] 2359 E653 8C06 13E6 5295 5E6C 188E DD3B 7B22 E6A3 uid [ unknown] SecureDrop Release Signing Key -sub rsa4096 2021-05-10 [E] [expires: 2022-07-04]""" +sub rsa4096 2021-05-10 [E] [expires: 2023-07-04]""" # display any differences self.maxDiff = None self.assertEqual(results, fpf_gpg_pub_key_info), "Keyring incorrect in " + vm.name From 7c6293d0700208f0bb63ba87cdcb87cfab0506ac Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Tue, 21 Jun 2022 19:45:41 -0700 Subject: [PATCH 09/14] Update to signing key with 2023 expiry --- ...securedrop-release-signing-pubkey-2021.asc | 56 +++++++++---------- ...curedrop-release-signing-pubkey-LEGACY.asc | 43 -------------- 2 files changed, 28 insertions(+), 71 deletions(-) delete mode 100644 sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc diff --git a/sd-workstation/securedrop-release-signing-pubkey-2021.asc b/sd-workstation/securedrop-release-signing-pubkey-2021.asc index 070e2253..8a6d1810 100644 --- a/sd-workstation/securedrop-release-signing-pubkey-2021.asc +++ b/sd-workstation/securedrop-release-signing-pubkey-2021.asc @@ -12,20 +12,20 @@ DWkG/xqMWXVZOtUa+REYrTCg9Zo7qlbIniRGeGfGtXYXI023clJH7QkSOEVbCzju SMG+mvRVGJVEWmkoD6mUqzgs+VpoJ9/f1OV5iZjeYRN7fDUYgZzYuWJp3fYmlvHj 3oiAN7UrcUwESgoVl+Ga2VFJd+3w0qBLM+3bORq0z1sUp9oJhFpLLtqRuQARAQAB tEpTZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXkgPHNlY3VyZWRyb3AtcmVs -ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPhYhBCNZ5lOMBhPm -UpVebBiO3Tt7IuajBQJgmWatAhsDBQkCKbYABQsJCAcDBRUKCQgLBRYCAwEAAh4B -AheAAAoJEBiO3Tt7IuajwuMP/3HGnRKTgRLdxeL/8tK4E204N+W3dPYhge1sFLeD -ak0vXQeTzxizU/1Hi1+qLv+XRpKziPE0gvKnc8wThPhJ+G93hEAqI/Es4VIklzbB -f/xhLeE54wk6tqz+wy4ugoq0NrRTLFRXT2SXA/enSxaH16fk/5LcNF0V8CTvoaGn -5kvhZCSPJyw7eqPZGjH2pxy33sktprEAjN7aXuIHw3IiRHmrqgqSCpjn5rEEXO3Y -u8osqh5ZdVQLnmtQiosA4IVNOKRJU9nTDnIVducx+RLG3Bz3Qf7/mmRC+M3hqGWB -skk0c2+DtspsNyZh1E+8II3qVGqFwMBovSI0wPX3IOK4Wb91dz3/n8Ahc2N7pBY3 -7wH1GHjT/2Bv80F5d3bbUJVFDLEFFMSUcj4E6dxU38XkbBTODrOYcjzlIT6uK/XH -Q61fE1e7PSVeNqr6eIqqaTdNZaOJNtlO5umYx0WQawKT72eznPW6HJkX5cfuTj9H -ARwRCNOTpipOo499bMtk7UjJcTwc9KOxJeKDkbMUfe/43Zp1njctWuv2e/NPz92J -Ma3BmLluuBR9HJTWKp8L6Ia55vhvtm3+hsgiTCf7gdpxkwRO7470ZeyZMZtARwxp -2wcIrqdOKW8Zwij2Zsi882PPJjR4N07KiEv9pUBtLzlX3VsHBFSu32klxW3cNlSZ -1eK/uQINBGCZZq0BEACq7CxMegB4JuC81VDZKNGgPvRfZYzvE9JGV9G/Gz2Ko8IN +ZWFzZS1rZXktMjAyMUBmcmVlZG9tLnByZXNzPokCVAQTAQoAPgIbAwULCQgHAwUV +CgkICwUWAgMBAAIeAQIXgBYhBCNZ5lOMBhPmUpVebBiO3Tt7IuajBQJifjhkBQkE +CpM3AAoJEBiO3Tt7IuajHFUP/1fwi22pZcpDUyzxGViUK8DmZjcGVGFNBJ40SDSl +XudO044U4OLFTVjNvpHvz6F4T7P+9PSHbjiAOSqx6UApib5EK/w38iQ7PQX+Cg1s +L6pDXCrVNmnxl/FgGN/0MjIjpPGW0CmsEUu+xqJlb43SSAb5z65TJAsyXPgkkPyU ++z1XTPdd27Qvw/BvcH7Fy/ksTIJcL6kFcUBAgJ/HcM6AbRleKSTrrANLjH+c9DqR +s7v0PFAs6TADIQsPNrAeeXxyPqgEQObDeTvXjPb1gJ3r1G1fWKkLb/oBo4cVB+xe +t9djj4uvKO/ETuKzXNWkcTdNhaNO4SMcNt/enxurNb3LLZPXOnEb4cHVGA4/Qoyy +jhgAqJMECw5+nUBn5zM/THQR7r63hBmFqtO9nRo6qNHI1DJ/KWMH892ekpgOYys1 +yMILFyDQLgB+iFHohR4VSeQONWpuSMTWYIQ7vfQVDah9Z7byOJ+M8XJcTv1OLY+L +K11b1CaSe7V/dLHhlYzLaLvV/LT8GaDwMQFT6NwsMOPwRhyWUsdy/OLPPMBY6eNK +JRHQ3wNnClTiWi7iM5QfHa2g+46YuKFMr1YraUwHxUb6ELNNYeg0ycr77H+Ysmam +hHA5YPnxJIzx9nWCBgXGyn9FIxGy32vwh9qdsGvbUQbSSdLdXLVEDY492vuSjkaN +AJqruQINBGCZZq0BEACq7CxMegB4JuC81VDZKNGgPvRfZYzvE9JGV9G/Gz2Ko8IN tsBMbIQVXLndeuJZqYPTk5X6dPKJe6ik9WUSpdvpxLdy1FiVjvOMxaXvZCeXB8NS jicHq8KWRrvgM15GGRo1vBC8BLyjh6tnImkmI86HNJEy3kvN7OjgFeXactO4yXaP Gu4J8OglAYOLvNjamriY/ExFS5uURrmHgJB9beEFY+XS7FbUj81R3H64XCKlKIVu @@ -36,18 +36,18 @@ sAE+DqRgeWFLBVWdaeU98zawLR15Qsx85cGvxFJaE9LyPWHyHSlJeyrT0hNE02HG bZDWR/47s6jicncfYVNqSH5d1Ifj8guuxDQZyJLEh18kcOH0wezt7lM/H6kXZnDz slOJUAubUgpZ/IbTgdd49UW93QepI+ynuwSogqIPf521XAU/Or7OY+t7J2e1VaCC zvez+oiZ6GWh6lBpccPUnDWtti3U2i5hK4swGFa3Uvi6UwbZHihi/iUip4uKxQAR -AQABiQI8BBgBCgAmFiEEI1nmU4wGE+ZSlV5sGI7dO3si5qMFAmCZZq0CGwwFCQIp -tgAACgkQGI7dO3si5qNAJhAAsjrKyJY1A814QI82Jk1BcpbYRpr5D11/Y8okj142 -Ury/14yVJ1mdFNIqXiKaazR2UJef+W7EZYXWEUFC4BpYFC75tnGAIuKpdBjd6hiJ -Z+sWi10eit3IejAwHkbzRTCvPEDxaQTK1EEB/AKE+9fJhnjIVIIYLgIRYwvNBT/S -J5A1OhoSHtYppD8FpGFw7Hl/t9DK5YETyvY8vkqAMZ9rxp9ZdLni9NsgHa4SCxb/ -1t9ixziUdwbBH0ulHJF3D3Gv6U4Rtcjyi/CLwMaC9pJ7PfISQBYL0USkL9WUYTy7 -IPn60fcvrXIx0ZoR0T4L5rbIQpJ89bVvyT2a1BTFo0zp46hzq9O5g6dr3oB94UKf -bYxNOjNwyMmSyT/JVHzS5H8RAk9UdXmJZXuUFGlPJwfqakGOzZm+X8m6bfbALS++ -b0CAfkWVLNSASXdkK0du5XpIEFFca2qc0vxgqNFDNJC9lrjIx95Bxiql8kOhhloo -/mXz7rZl9vbXBespZCMosFlatkL6hnFm28IIb8vOwGrOuToxyJUQcD8u6iT8kpWF -j5EBqojf1VEaYOogVX8kBFfNTUWmHslD44f46IqIm/lE/wAGev3Aec+olqdD1B75 -hdWwJXNaMxCYVofIgihTMKUeSuXHXNajtwbcUJYyeX4X/LrknXu5EoBfUIXZEZ/J -u3U= -=pCIa +AQABiQI8BBgBCgAmAhsMFiEEI1nmU4wGE+ZSlV5sGI7dO3si5qMFAmKCILEFCQQK +hwQACgkQGI7dO3si5qN/Og//UeRS0+fjYedZGwVMCd591TDET/vdD1CXf2KIic9u +4Fd9nNqbYNB9/c5QWtVYsB9lWctL3RA7C3DtzWUXQtvTUFAimSJ9H1WtOMvNNAwR +KubXzy4niU1exo9veljdKFBflyFNVBrazL+ChUzQvTR9Osw+sgGO8JQCnxjwG0R9 +O5QbWfkQzCl0VwZAZOZrWz8AvcSCTErgkkAbIbyhjyhiSsr956MJ5GWlDPlbWXwC +U/aIWNbyghi6sdZ59RtxMFh7yQMG5/468Lt6hIBHhb16wOwEutvT5vo7lz8+L0P3 +C71vMhgk0tzbV4n3JYOQAUqbDfo9WGK3u4ZBzgkdM3q8UTP2RvCVGQVyZJ4etxHS +aWHA5ufnzQ+ocssd/lH0+Z5VVTzE54MlJauJBnX3XQuP4fba3jjJRenZdr4I70AY +edkS5x8vwHUewmlHgOrs9AJnGvmurbFjUKdVERpjs5cF/m9BqBgVc5e2OmYFlbtY +7NKwnFvOBEamKz8fB9OGQq5uqxdPJycJkLL2m7wYZFGxnzdwHbQwdfv8qLNLt9ox +xDf1kSnh4P6TgVx1N3G1MiSSC79Nk2MVvpQ6MsQ4O290FBybsJ0/1R01e3L9trst +XEXQ4gF6MHMYdBpNhcBlovGMPpI1AG7Uz2TMVM0p+T8DFOBbPP6057fX8zr1+SP0 +Zbk= +=5n1q -----END PGP PUBLIC KEY BLOCK----- diff --git a/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc b/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc deleted file mode 100644 index 7c1f70d5..00000000 --- a/sd-workstation/securedrop-release-signing-pubkey-LEGACY.asc +++ /dev/null @@ -1,43 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFgIrN8BEACnXQFtRVzlePZL/4wfdsAI0FohKj+v17c9U/JNOOwax2DapJe+ -pQ7jZ8G2kUDLTNTMgZLze/gmOJF28olplMi9sLwBynKbN2xOq6MybxE9NLLeE7/y -ZfMZrgMSwgHW40udRZEEpe9IYKZP2QXLGFOmRiqiQ0HNp9WKFNTfi03Yx3XEUeeZ -kap9i0+1sktYBrlnUzXUTJHiUjJTEiI9NX23Vey0NtaveJLzdEQmsYQWaMbX4ECD -Hz+UNRNrjXv303bJgSGBm53tsvQzd6Lyzk4RGOKKifm4A2RRXf6zZCpRmOJUD5dH -8eLNeNyJpRY13rzcqp6Sk05n/RJOH9QbClzBT4rAbTtDKIKsutGnPxL+8fwKoaut -xZjcZLNh712nfiMl07rmgD4by0rp8xe29MIUNkjqg01pckfvUXknRhuo7ZmrAphz -ZZKLSApWXbB32ug5WNoGaQmq+hye1i40zu3fx8MRYefkpSSatNuIbrwLLnq0NR+k -qXcP1SPgtoy/EnW0oa/NDiT/rSh1PuAjG7oOpiNdQdmnA+xIYGreeNoPtuh7gJRc -XYrtWI5zzsGwrFE0LMMPw6SVGONfM5M4Efc+oUn3cIn7gQITm31JNTbRpnwT7bMo -Hy+MrILJITj6Rwi8EGyeTBVolM/L0W3WpjJuj6yhcRZURkBMA01aSUG3yQARAQAB -tB5TZWN1cmVEcm9wIFJlbGVhc2UgU2lnbmluZyBLZXmJAlcEEwEKAEECGwMFCwkI -BwMFFQoJCAsFFgIDAQACHgECF4ACGQEWIQQiJFyB47rrQTizYGExD1YSAPStdwUC -XsZBhAUJCNOEJQAKCRAxD1YSAPStd+ovD/4+jLGlwlLmBpgvohrbiC7xCioVW+Ik -18j+uUSyYBNhvDOZugY+/Z6X99PHvjgjRbTle2NvAx5itdZfiooGSZ8cuiPRbDkQ -xpmZqOdkpN+5/B5dh/bd+P/K2Ggxqkyb80b+xoDviLh6OmIDPILTbz9ACkwu5jdH -0wo0UEt5C+GT8lvBmVXii6vGlTvsv86/yLShvBq6mEJ+7nazWMOShJy3bvyrJRMg -3dZfQSB6WlVCRO9EDBlvTW9Xedva7VDu6Up1BSD+enpXWRLTbqWvxmS7QQ2Usw58 -D7CCoJDA+8zL6UkJFrVxTiXQWbOvttkOA9++aJp4IbXsqTyrIkxNRjlKdyET9xbB -HGSgJhhgGUNVZNBxHVZFHvHurXDX0OyfWaYY9ET/EjqMCjUbWh0vh2c6/M3rDh+J -nH+tZUjJ9mM/AJ0hcORPVv3wbWdsfWq9r3t1Q7wlphal7RzgNqPymekj+1ndTs4y -jfsWgLmxYF8knP1+EipoL1Q7vm1JdO0VOb4IyhF+6VUTkjrDy6uHwXc3fMGHEAeU -nZvhVzZSx8h8HVsfnppM2RjNZKPwNQ43he8HllLqsRFsumg6gbBNRgrsVEBjRzxf -OKESJqxVZ5iHUvWPQPuGjuh83HiUxPN4yjZXUVNXv0Alevv1By3ALeVAmaQVw/KA -/sNu9p74VRggjrRFU2VjdXJlRHJvcCBSZWxlYXNlIFNpZ25pbmcgS2V5IDxzZWN1 -cmVkcm9wLXJlbGVhc2Uta2V5QGZyZWVkb20ucHJlc3M+iQJUBBMBCgA+AhsDBQsJ -CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEEIiRcgeO660E4s2BhMQ9WEgD0rXcFAl7G -QZQFCQjThCUACgkQMQ9WEgD0rXcWVg/+JJT7J0ycCd2Rl7A2K4YQfJcf6TV05HDf -/sxc+JGs1hh/CFgR5Nt1TDPg7dQfCumQWI+e4A8NSFllIKGEajgxdAg/uszO9UQL -9iVtyNFY69/gfWeNVyOoioYxRSlaIyKUD2PINeHi5KYDe3dkh9aXDA/X4sB8k7Dt -mvDXqNX4/85P9M9JUjWahHqG3giYW9nyvvlMeV82K4BPPhwwqwbRRaIVNcdytDIi -LvXxOZf/TjX3xHbwTHYghclZZX3ZCiZ8OTD+yLkCqTJsT9GVfIlO/algc+7ezz7B -acsSuTa77/+8vy78dA5k9JM6rSZzfl/8T3LOmDLq+RE+DCUXx8ZJ+qnrr5aSruPB -BSlu7S/26NIAtB6LyKtSBpX39y66/9lYCaQWZDcNraq5PWInv0kQqXEc6C8Vi25q -BFE3a4Lt45bZMGCREYvLWXRxzH9rESVVekxZVZEjgmldh94OLRuXRvU8nlu2fq4G -YH0a+Oy/87LemKv7q2IZX6s7uTZg5xMBTaPqFsE/AGQWQfHvj1EWthcaeoIasfxE -lsWi9qHE4N+Jg/L+XC90S0kogDWGdyS+mKf0dE6jq4ioKf29zRJ4629id6VYHeib -i3df/KOdUeeth5X9ann6/KNncX7Us16rV4a6Tl1OLoV7xkwh2Hy8MfClDkTYeoHc -Y6V2vWAk0Rc= -=LOAb ------END PGP PUBLIC KEY BLOCK----- From 31810922cc4123df083255be62f5e015852cf421 Mon Sep 17 00:00:00 2001 From: Michael Z Date: Wed, 22 Jun 2022 11:35:58 -0400 Subject: [PATCH 10/14] Remove Qubes OS R4.0 related logic and tests Dropping support for 4.0 to avoid unnecessary complexity. This removes 4.0 support from: salt states, scripts, Makefile, and tests. (Also removes sd-devices from sd-workstation.top as it's a DispVM rather than a DispVM template) --- Makefile | 16 +-- dom0/sd-clean-all.sls | 7 +- dom0/sd-default-config.sls | 9 +- dom0/sd-dom0-files.sls | 11 -- dom0/sd-dom0-qvm-rpc.sls | 92 ----------------- dom0/sd-log.sls | 18 ---- dom0/sd-logging-setup.sls | 2 +- dom0/sd-sys-vms.sls | 36 +------ dom0/sd-workstation-template.sls | 4 - dom0/sd-workstation.top | 8 +- dom0/securedrop-handle-upgrade | 16 +-- scripts/provision-all | 4 +- scripts/sdw-admin.py | 15 --- tests/test_dom0_config.py | 3 - tests/test_dom0_rpm_repo.py | 4 - tests/test_qubes_rpc.py | 9 +- tests/test_qubes_vms.py | 4 +- tests/test_vms_exist.py | 17 --- tests/test_vms_platform.py | 19 +--- tests/vars/qubes-rpc-41.yml | 135 ------------------------ tests/vars/qubes-rpc.yml | 171 +++++++++---------------------- 21 files changed, 83 insertions(+), 517 deletions(-) delete mode 100644 tests/vars/qubes-rpc-41.yml diff --git a/Makefile b/Makefile index 72a9e9ce..cfdec68b 100644 --- a/Makefile +++ b/Makefile @@ -58,20 +58,20 @@ remove-usb-autoattach: prep-dev ## Removes udev rules and scripts from sys-usb sudo qubesctl --show-output state.sls sd-usb-autoattach-remove sd-workstation-template: prep-dev ## Provisions base template for SDW AppVMs - sudo qubesctl --show-output state.sls sd-workstation-buster-template - sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template state.highstate + sudo qubesctl --show-output state.sls sd-workstation-bullseye-template + sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template state.highstate sd-proxy: prep-dev ## Provisions SD Proxy VM sudo qubesctl --show-output state.sls sd-proxy - sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-proxy state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-proxy state.highstate sd-gpg: prep-dev ## Provisions SD GPG keystore VM sudo qubesctl --show-output state.sls sd-gpg - sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-buster-template,sd-gpg state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-workstation-bullseye-template,sd-gpg state.highstate sd-app: prep-dev ## Provisions SD APP VM sudo qubesctl --show-output state.sls sd-app - sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-app state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-app state.highstate sd-whonix: prep-dev ## Provisions SD Whonix VM sudo qubesctl --show-output state.sls sd-whonix @@ -79,15 +79,15 @@ sd-whonix: prep-dev ## Provisions SD Whonix VM sd-viewer: prep-dev ## Provisions SD Submission Viewing VM sudo qubesctl --show-output state.sls sd-viewer - sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-buster-template,sd-viewer state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-viewer-bullseye-template,sd-viewer state.highstate sd-devices: prep-dev ## Provisions SD Export VM sudo qubesctl --show-output state.sls sd-devices - sudo qubesctl --show-output --skip-dom0 --targets sd-devices-buster-template,sd-devices,sd-devices-dvm state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-devices-bullseye-template,sd-devices,sd-devices-dvm state.highstate sd-log: prep-dev ## Provisions SD logging VM sudo qubesctl --show-output state.sls sd-log - sudo qubesctl --show-output --skip-dom0 --targets sd-small-buster-template,sd-log state.highstate + sudo qubesctl --show-output --skip-dom0 --targets sd-small-bullseye-template,sd-log state.highstate prep-dev: assert-dom0 ## Configures Salt layout for SD workstation VMs @./scripts/prep-dev diff --git a/dom0/sd-clean-all.sls b/dom0/sd-clean-all.sls index d2e7b169..9d98e019 100644 --- a/dom0/sd-clean-all.sls +++ b/dom0/sd-clean-all.sls @@ -9,7 +9,7 @@ set-fedora-as-default-dispvm: {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %} -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:sys-usb:disposable', true) %} +{% if salt['pillar.get']('qvm:sys-usb:disposable', true) %} restore-sys-usb-dispvm-halt: qvm.kill: - name: sys-usb @@ -103,9 +103,6 @@ sd-cleanup-etc-changes: - DOTALL - repl: '' - backup: no -{% if grains['osrelease'] == '4.0' %} - - ignore_if_missing: True -{% endif %} {% if d.environment == "prod" or d.environment == "staging" %} apply-systemd-changes: @@ -129,9 +126,7 @@ sd-cleanup-rpc-mgmt-policy: - /etc/qubes-rpc/policy/qubes.VMShell - /etc/qubes-rpc/policy/qubes.VMRootShell - repl: '' -{% if grains['osrelease'] == '4.1' %} - ignore_if_missing: True -{% endif %} - pattern: '^disp-mgmt-sd-\w+\s+sd-\w+\s+allow,user=root' {% set sdw_customized_rpc_files = salt['cmd.shell']('grep -rIl "BEGIN securedrop-workstation" /etc/qubes-rpc/ | cat').splitlines() %} diff --git a/dom0/sd-default-config.sls b/dom0/sd-default-config.sls index 9a758d90..7e8960f3 100644 --- a/dom0/sd-default-config.sls +++ b/dom0/sd-default-config.sls @@ -28,11 +28,6 @@ {% endif %} # Append repo URL with appropriate dom0 Fedora version -{% if grains['osrelease'] == '4.1' %} - {% set fedora_repo = "f32" %} - {% set _ = sdvars.update({"distribution": "bullseye"}) %} -{% else %} - {% set fedora_repo = "f24" %} - {% set _ = sdvars.update({"distribution": "buster"}) %} -{% endif %} +{% set fedora_repo = "f32" %} +{% set _ = sdvars.update({"distribution": "bullseye"}) %} {% set _ = sdvars.update({"dom0_yum_repo_url": sdvars["dom0_yum_repo_url"] + fedora_repo}) %} diff --git a/dom0/sd-dom0-files.sls b/dom0/sd-dom0-files.sls index 83eec636..564b6022 100644 --- a/dom0/sd-dom0-files.sls +++ b/dom0/sd-dom0-files.sls @@ -46,7 +46,6 @@ dom0-workstation-rpm-repo: - require: - file: dom0-rpm-test-key -{% if grains['osrelease'] == '4.1' %} dom0-workstation-templates-repo: # Using file.blockreplace because /etc/qubes/repo-templates/ is not a .d # style directory, and qvm.template_installed:fromrepo seems to only support @@ -65,7 +64,6 @@ dom0-workstation-templates-repo: name=SecureDrop Workstation Templates repository - require: - file: dom0-rpm-test-key -{% endif %} dom0-remove-securedrop-workstation-stretch-template: pkg.removed: @@ -75,20 +73,11 @@ dom0-remove-securedrop-workstation-stretch-template: - file: dom0-workstation-rpm-repo dom0-install-securedrop-workstation-template: -{% if grains['osrelease'] == '4.1' %} cmd.run: - name: > qvm-template install securedrop-workstation-{{ sdvars.distribution }} -{% else %} - pkg.installed: - - pkgs: - - qubes-template-securedrop-workstation-{{ sdvars.distribution }} -{% endif %} - require: - file: dom0-workstation-rpm-repo -{% if grains['osrelease'] != '4.1' %} - - pkg: dom0-remove-securedrop-workstation-stretch-template -{% endif %} # Remove the legacy auto updater script dom0-remove-legacy-updater: diff --git a/dom0/sd-dom0-qvm-rpc.sls b/dom0/sd-dom0-qvm-rpc.sls index e3bea37f..c434f3c1 100644 --- a/dom0/sd-dom0-qvm-rpc.sls +++ b/dom0/sd-dom0-qvm-rpc.sls @@ -96,96 +96,6 @@ dom0-rpc-qubes.GpgImportKey: @anyvm @tag:sd-workstation deny @tag:sd-workstation @anyvm deny -# Some legacy RPC files were moved under Qubes 4.1, to /etc/qubes/policy.d/. -# We'll continue to configure them under the legacy path for 4.0 hosts. -{% if grains['osrelease'] == '4.0' %} -dom0-rpc-qubes.FeaturesRequest: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.FeaturesRequest - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.Filecopy: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.Filecopy - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - sd-log @default ask - sd-log @tag:sd-receive-logs ask - sd-proxy @tag:sd-client allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.GetImageRGBA: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.GetImageRGBA - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.OpenInVM: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.OpenInVM - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @tag:sd-client @dispvm:sd-viewer allow - @tag:sd-client sd-devices allow - sd-devices @dispvm:sd-viewer allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.OpenURL: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.OpenURL - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.StartApp: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.StartApp - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.VMRootShell: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.VMRootShell - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -dom0-rpc-qubes.VMshell: - file.blockreplace: - - name: /etc/qubes-rpc/policy/qubes.VMShell - - prepend_if_not_found: True - - marker_start: "### BEGIN securedrop-workstation ###" - - marker_end: "### END securedrop-workstation ###" - - content: | - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - -{% elif grains['osrelease'] == '4.1' %} # Qubes suggests using files starting with 70- to be the allow policies # and 60- deny policies, but due to the way SDW policies are stacked at the # moment, we reverse this suggested order @@ -234,5 +144,3 @@ dom0-rpc-qubes.r5-format-ask-allow: qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow qubes.OpenInVM * @tag:sd-client sd-devices allow qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow - -{% endif %} diff --git a/dom0/sd-log.sls b/dom0/sd-log.sls index 97b593f2..c6200eb2 100644 --- a/dom0/sd-log.sls +++ b/dom0/sd-log.sls @@ -35,24 +35,6 @@ sd-log: - require: - qvm: sd-small-{{ sdvars.distribution }}-template -{% if grains['osrelease'] == '4.0' %} -# Allow any SecureDrop VM to log to the centralized log VM -sd-log-dom0-securedrop.Log: - file.prepend: - - name: /etc/qubes-rpc/policy/securedrop.Log - - text: | - @tag:sd-workstation sd-log allow - @anyvm @anyvm deny -{% elif grains['osrelease'] == '4.1' %} -# In 4.1 this policy is handled in the more central app policy -# files added by sd-dom0-qvm-rpc.sls, no need to keep this -# around in 4.0 if we migrated -sd-log-dom0-remove-old-securedrop.Log-policy: - file.absent: - - names: - - /etc/qubes-rpc/policy/securedrop.Log -{% endif %} - {% import_json "sd/config.json" as d %} # The private volume size should be set in config.json diff --git a/dom0/sd-logging-setup.sls b/dom0/sd-logging-setup.sls index 5d157f98..e5e1d80d 100644 --- a/dom0/sd-logging-setup.sls +++ b/dom0/sd-logging-setup.sls @@ -1,7 +1,7 @@ # -*- coding: utf-8 -*- # vim: set syntax=yaml ts=2 sw=2 sts=2 et : -{% if grains['id'] in ["securedrop-workstation-{}".format(grains['oscodename']), "sd-small-{}-template".format(grains['oscodename']), "sd-large-{}-template".format(grains['oscodename'])] %} +{% if grains['id'] in ["securedrop-workstation-bullseye", "sd-small-bullseye-template", "sd-large-bullseye-template"] %} include: - fpf-apt-repo diff --git a/dom0/sd-sys-vms.sls b/dom0/sd-sys-vms.sls index d65e866e..49d3639f 100644 --- a/dom0/sd-sys-vms.sls +++ b/dom0/sd-sys-vms.sls @@ -14,15 +14,9 @@ include: # Install latest templates required for SDW VMs. dom0-install-fedora-template: -{% if grains['osrelease'] == '4.1' %} cmd.run: - name: > - qvm-template install fedora-35 -{% else %} - pkg.installed: - - pkgs: - - qubes-template-{{ sd_supported_fedora_version }} -{% endif %} + qvm-template install {{ sd_supported_fedora_version }} # Update the mgmt VM before updating the new Fedora VM. The order is required # and listed in the release notes for F32 & F33. @@ -32,30 +26,18 @@ set-fedora-template-as-default-mgmt-dvm: qvm-shutdown --wait default-mgmt-dvm && qvm-prefs default-mgmt-dvm template {{ sd_supported_fedora_version }} - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} # If the VM has just been installed via package manager, update it immediately update-fedora-template-if-new: cmd.wait: - name: sudo qubesctl --skip-dom0 --targets {{ sd_supported_fedora_version }} state.sls update.qubes-vm - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} # Update the mgmt-dvm setting first, to avoid problems during first update - cmd: set-fedora-template-as-default-mgmt-dvm - watch: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} # qvm.default-dispvm is not strictly required here, but we want it to be # updated as soon as possible to ensure make clean completes successfully, as @@ -64,11 +46,7 @@ set-fedora-default-template-version: cmd.run: - name: qubes-prefs default_template {{ sd_supported_fedora_version }} - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} - sls: qvm.default-dispvm # On 4.1, several sys qubes are disposable by default - since we also want to @@ -78,7 +56,6 @@ set-fedora-default-template-version: # sys-usb is also disposable by default but a special case as we want to # customize the underlying DispVM template for usability purposes: we want to # consistently auto-attach USB devices to our sd-devices qube -{% if grains['osrelease'] == '4.1' %} {% set required_dispvms = [ sd_supported_fedora_version + '-dvm' ] %} {% if salt['pillar.get']('qvm:sys-usb:disposable', true) %} {% set _ = required_dispvms.append("sd-fedora-dvm") %} @@ -100,13 +77,12 @@ create-{{ required_dispvm }}: - require: - cmd: dom0-install-fedora-template {% endfor %} -{% endif %} # Now proceed with rebooting all the sys-* VMs, since the new template is up to date. {% for sys_vm in ['sys-usb', 'sys-net', 'sys-firewall'] %} -{% if grains['osrelease'] == '4.1' and salt['pillar.get']('qvm:' + sys_vm + ':disposable', false) %} +{% if salt['pillar.get']('qvm:' + sys_vm + ':disposable', false) %} # As of Qubes 4.1, certain sys-* VMs will be DispVMs by default. {% if sys_vm == 'sys-usb' %} # If sys-usb is disposable, we want it to use the template we just created so we @@ -123,21 +99,13 @@ sd-{{ sys_vm }}-fedora-version-halt: qvm.kill: - name: {{ sys_vm }} - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} sd-{{ sys_vm }}-fedora-version-halt-wait: cmd.run: - name: sleep 5 - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-fedora-template -{% else %} - - pkg: dom0-install-fedora-template -{% endif %} sd-{{ sys_vm }}-fedora-version-update: qvm.vm: diff --git a/dom0/sd-workstation-template.sls b/dom0/sd-workstation-template.sls index 4d8c28ae..8e35eaa5 100644 --- a/dom0/sd-workstation-template.sls +++ b/dom0/sd-workstation-template.sls @@ -23,11 +23,7 @@ sd-workstation-template: - enable: - service.paxctld - require: -{% if grains['osrelease'] == '4.1' %} - cmd: dom0-install-securedrop-workstation-template -{% else %} - - pkg: dom0-install-securedrop-workstation-template -{% endif %} # Installs consolidated templateVMs: # - sd-small-{{ sdvars.distribution }}-template, to be used for diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top index bbf41eb2..d60f2f2b 100644 --- a/dom0/sd-workstation.top +++ b/dom0/sd-workstation.top @@ -20,13 +20,13 @@ base: - sd-whonix - sd-remove-unused-templates - '^sd-small-(buster|bullseye)-template$': + sd-small-bullseye-template: - match: pcre - sd-logging-setup - sd-workstation-template-files - sd-app-files - sd-proxy-template-files - '^sd-large-(buster|bullseye)-template$': + sd-large-bullseye-template: - match: pcre - sd-logging-setup - sd-workstation-template-files @@ -40,7 +40,7 @@ base: - sd-mime-handling sd-whonix: - sd-whonix-hidserv-key - '^securedrop-workstation-(buster|bullseye)$': + securedrop-workstation-bullseye: - match: pcre - sd-workstation-template-files - sd-logging-setup @@ -51,8 +51,6 @@ base: - sd-logging-setup sd-viewer: - sd-mime-handling - sd-devices: - - sd-mime-handling sd-devices-dvm: - sd-mime-handling sd-proxy: diff --git a/dom0/securedrop-handle-upgrade b/dom0/securedrop-handle-upgrade index 41706019..0026a347 100755 --- a/dom0/securedrop-handle-upgrade +++ b/dom0/securedrop-handle-upgrade @@ -15,7 +15,7 @@ if [[ $TASK == "prepare" ]]; then # sd-app, we simply shutdown the machine as we want to preserve the data if qvm-check sd-app --quiet; then BASE_TEMPLATE=$(qvm-prefs sd-app template) - if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-bullseye" ]]; then if qvm-check --running sd-app; then qvm-shutdown --wait sd-app fi @@ -30,7 +30,7 @@ if [[ $TASK == "prepare" ]]; then # provisioning process runs again and sets that value to sd-viewer if qvm-check --quiet sd-viewer; then BASE_TEMPLATE=$(qvm-prefs sd-viewer template) - if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-bullseye" ]]; then qubes-prefs default_dispvm '' qvm-shutdown --wait sd-viewer qvm-remove -f sd-viewer @@ -39,7 +39,7 @@ if [[ $TASK == "prepare" ]]; then if qvm-check --quiet sd-devices; then BASE_TEMPLATE=$(qvm-prefs sd-devices-dvm template) - if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-bullseye" ]]; then qvm-shutdown --wait sd-devices qvm-shutdown --wait sd-devices-dvm qvm-remove -f sd-devices @@ -52,7 +52,7 @@ if [[ $TASK == "prepare" ]]; then # shutdown if a client is connected. if qvm-check --quiet sd-proxy; then BASE_TEMPLATE=$(qvm-prefs sd-proxy template) - if [[ ! $BASE_TEMPLATE =~ "large-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "large-bullseye" ]]; then qvm-shutdown --wait sd-proxy fi fi @@ -83,7 +83,7 @@ if [[ $TASK == "prepare" ]]; then # For sd-gpg, we simply shutdown the machine if qvm-check --quiet sd-gpg; then BASE_TEMPLATE=$(qvm-prefs sd-gpg template) - if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-bullseye" ]]; then qvm-shutdown --wait sd-gpg fi fi @@ -91,7 +91,7 @@ if [[ $TASK == "prepare" ]]; then # Shut down sd-log last, since other VMs will autostart it by sending logs if qvm-check --quiet sd-log; then BASE_TEMPLATE=$(qvm-prefs sd-log template) - if [[ ! $BASE_TEMPLATE =~ "small-buster" ]]; then + if [[ ! $BASE_TEMPLATE =~ "small-bullseye" ]]; then qvm-shutdown --wait sd-log fi fi @@ -100,8 +100,8 @@ elif [[ $TASK == "remove" ]]; then # before deleting it. for template in sd-app-template sd-viewer-template sd-devices-template sd-proxy-template \ sd-svs-template sd-svs-disp-template sd-export-template sd-proxy-template \ - sd-svs-buster-template sd-export-buster-template sd-svs-disp-buster-template sd-app-buster-template \ - sd-viewer-buster-template sd-proxy-buster-template sd-devices-buster-template sd-log-buster-template + sd-svs-bullseye-template sd-export-bullseye-template sd-svs-disp-bullseye-template sd-app-bullseye-template \ + sd-viewer-bullseye-template sd-proxy-bullseye-template sd-devices-bullseye-template sd-log-bullseye-template do if qvm-check "${template}" --quiet; then if qvm-check --running "${template}"; then diff --git a/scripts/provision-all b/scripts/provision-all index 01885504..d332dec8 100755 --- a/scripts/provision-all +++ b/scripts/provision-all @@ -17,9 +17,7 @@ echo "Set up dom0 config files, including RPC policies, and create VMs" sudo qubesctl --show-output state.highstate echo "Set up logging VMs early" -grep -q "R4.1" /etc/qubes-release && \ - sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-bullseye-template state.highstate || \ - sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-buster-template state.highstate +sudo qubesctl --show-output --skip-dom0 --targets sd-log,sd-small-bullseye-template state.highstate # Reboot sd-log so it's ready to receive logs from other VMs about to be configured qvm-shutdown --wait sd-log && qvm-start sd-log diff --git a/scripts/sdw-admin.py b/scripts/sdw-admin.py index 5537335f..4f036890 100755 --- a/scripts/sdw-admin.py +++ b/scripts/sdw-admin.py @@ -16,9 +16,6 @@ from validate_config import SDWConfigValidator, ValidationError # noqa: E402 DEBIAN_VERSION = "bullseye" -with open("/etc/qubes-release") as qubes_release: - if "R4.0" in qubes_release.read(): - DEBIAN_VERSION = "buster" def parse_args(): @@ -121,18 +118,6 @@ def perform_uninstall(keep_template_rpm=False): print("Reverting dom0 configuration") subprocess.check_call(["sudo", "qubesctl", "state.sls", "sd-clean-all"]) subprocess.check_call([os.path.join(SCRIPTS_PATH, "scripts/clean-salt")]) - if not keep_template_rpm and DEBIAN_VERSION == "buster": - print("Uninstalling Template") - subprocess.check_call( - [ - "sudo", - "dnf", - "-y", - "-q", - "remove", - "qubes-template-securedrop-workstation-buster", - ] - ) print("Uninstalling dom0 config package") subprocess.check_call( ["sudo", "dnf", "-y", "-q", "remove", "securedrop-workstation-dom0-config"] diff --git a/tests/test_dom0_config.py b/tests/test_dom0_config.py index 562f3300..03432f00 100644 --- a/tests/test_dom0_config.py +++ b/tests/test_dom0_config.py @@ -18,9 +18,6 @@ ] DEBIAN_VERSION = "bullseye" -with open("/etc/qubes-release") as qubes_release: - if "R4.0" in qubes_release.read(): - DEBIAN_VERSION = "buster" VMS_TO_UPDATE = [ "sd-large-{}-template".format(DEBIAN_VERSION), diff --git a/tests/test_dom0_rpm_repo.py b/tests/test_dom0_rpm_repo.py index 5362e583..5e462c44 100644 --- a/tests/test_dom0_rpm_repo.py +++ b/tests/test_dom0_rpm_repo.py @@ -4,10 +4,6 @@ DEBIAN_VERSION = "bullseye" FEDORA_VERSION = "f32" -with open("/etc/qubes-release") as qubes_release: - if "R4.0" in qubes_release.read(): - DEBIAN_VERSION = "buster" - FEDORA_VERSION = "f25" class SD_Dom0_Rpm_Repo_Tests(unittest.TestCase): diff --git a/tests/test_qubes_rpc.py b/tests/test_qubes_rpc.py index a631b0f5..4cabb020 100644 --- a/tests/test_qubes_rpc.py +++ b/tests/test_qubes_rpc.py @@ -42,14 +42,7 @@ def _startsWith(self, filename, expectedPolicy): return False def _loadVars(self): - qubes_version = get_qubes_version() - if qubes_version == "4.1": - fname = "qubes-rpc-41.yml" - elif qubes_version == "4.0": - fname = "qubes-rpc.yml" - else: - raise Exception("Could not determine Qubes OS version") - filepath = os.path.join(os.path.dirname(os.path.abspath(__file__)), "vars", fname) + filepath = os.path.join(os.path.dirname(os.path.abspath(__file__)), "vars", "qubes-rpc.yml") with io.open(filepath, "r") as f: data = yaml.safe_load(f) return data diff --git a/tests/test_qubes_vms.py b/tests/test_qubes_vms.py index 2154ec20..ef86e1d7 100644 --- a/tests/test_qubes_vms.py +++ b/tests/test_qubes_vms.py @@ -1,7 +1,7 @@ import unittest from qubesadmin import Qubes -from base import CURRENT_FEDORA_TEMPLATE, CURRENT_WHONIX_VERSION, get_qubes_version +from base import CURRENT_FEDORA_TEMPLATE, CURRENT_WHONIX_VERSION class SD_Qubes_VM_Tests(unittest.TestCase): @@ -28,7 +28,7 @@ def test_current_fedora_for_sys_vms(self): for sys_vm in sys_vms: vm = self.app.domains[sys_vm] wanted_templates = [CURRENT_FEDORA_TEMPLATE] - if get_qubes_version() == "4.1" and sys_vm in sys_vms_maybe_disp: + if sys_vm in sys_vms_maybe_disp: if sys_vm in sys_vms_custom_disp: wanted_templates.append("sd-fedora-dvm") else: diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py index e8341e6d..e51e2bef 100644 --- a/tests/test_vms_exist.py +++ b/tests/test_vms_exist.py @@ -7,10 +7,6 @@ DEBIAN_VERSION = "bullseye" EXPECTED_KERNEL_VERSION = "5.15.41-grsec-workstation" -with open("/etc/qubes-release") as qubes_release: - if "R4.0" in qubes_release.read(): - DEBIAN_VERSION = "buster" - EXPECTED_KERNEL_VERSION = "4.14.241-grsec-workstation" class SD_VM_Tests(unittest.TestCase): @@ -41,19 +37,6 @@ def _check_kernel(self, vm): assert kernel_version.endswith("-grsec-workstation") assert kernel_version == EXPECTED_KERNEL_VERSION - # QubesOS 4.1 stopped requiring u2mfn.ko for HVMs, the packages won't build the respective - # kernel module anymore - # This portion of the test assumes that 4.1 is always used with templates that use - # repositories for 4.1 (in our case, bullseye based templates) - if DEBIAN_VERSION == "bullseye": - return - - u2mfn_filepath = "/usr/lib/modules/{}/updates/dkms/u2mfn.ko".format(EXPECTED_KERNEL_VERSION) - # cmd will raise exception if file not found - stdout, stderr = vm.run("sudo test -f {}".format(u2mfn_filepath)) - assert stdout == b"" - assert stderr == b"" - def _check_service_running(self, vm, service): """ Ensures a given service is running inside a given VM. diff --git a/tests/test_vms_platform.py b/tests/test_vms_platform.py index 9ef509ff..53d687f0 100644 --- a/tests/test_vms_platform.py +++ b/tests/test_vms_platform.py @@ -7,13 +7,8 @@ BULLSEYE_STRING = "Debian GNU/Linux 11 (bullseye)" -BUSTER_STRING = "Debian GNU/Linux 10 (buster)" - -SUPPORTED_SD_PLATFORMS = [BULLSEYE_STRING] -with open("/etc/qubes-release") as qubes_release: - if "R4.0" in qubes_release.read(): - SUPPORTED_SD_PLATFORMS = [BUSTER_STRING] +SUPPORTED_SD_DEBIAN_DIST = "bullseye" SUPPORTED_WHONIX_PLATFORMS = [BULLSEYE_STRING] @@ -31,9 +26,7 @@ def setUp(self): if "environment" not in config: config["environment"] = "dev" - dist = "bullseye" - if BUSTER_STRING in SUPPORTED_SD_PLATFORMS: - dist = "buster" + dist = SUPPORTED_SD_DEBIAN_DIST if config["environment"] == "prod": self.apt_url = FPF_APT_SOURCES.format(dist=dist, component="main") @@ -63,13 +56,14 @@ def _validate_vm_platform(self, vm): Asserts that the given AppVM is based on an OS listed in the SUPPORTED__PLATFORMS list, as specified in tests. sd-whonix is based on the whonix-16 template. - All other workstation-provisioned VMs should be buster based. + All other workstation-provisioned VMs should be + SUPPORTED_SD_DEBIAN_DIST based. """ platform = self._get_platform_info(vm) if vm.name in ["sd-whonix"]: self.assertIn(platform, SUPPORTED_WHONIX_PLATFORMS) else: - self.assertIn(platform, SUPPORTED_SD_PLATFORMS) + self.assertIn(SUPPORTED_SD_DEBIAN_DIST, platform) def _validate_apt_sources(self, vm): """ @@ -86,9 +80,6 @@ def _validate_apt_sources(self, vm): contents = stdout.decode("utf-8").rstrip("\n") self.assertTrue(self.apt_url in contents) - self.assertFalse(FPF_APT_SOURCES.format(dist="stretch", component="main") in contents) - # Old alpha URL for apt repo should be absent - self.assertFalse("apt-test-qubes.freedom.press" in contents) def _ensure_packages_up_to_date(self, vm, fedora=False): """ diff --git a/tests/vars/qubes-rpc-41.yml b/tests/vars/qubes-rpc-41.yml deleted file mode 100644 index ad8d5971..00000000 --- a/tests/vars/qubes-rpc-41.yml +++ /dev/null @@ -1,135 +0,0 @@ -- policy: /etc/qubes-rpc/policy/qubes.ClipboardPaste - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-send-app-clipboard sd-app ask - sd-app @tag:sd-receive-app-clipboard ask - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: /etc/qubes-rpc/policy/qubes.GetDate - starts_with: |- - $tag:anon-vm $anyvm deny - -- policy: qubes.Gpg - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-client sd-gpg allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.GpgImportKey - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-client sd-gpg allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.InputKeyboard - starts_with: |- - $anyvm $anyvm deny - -- policy: qubes.InputMouse - starts_with: |- - sys-usb dom0 ask,user=root,default_target=dom0 - $anyvm $anyvm deny - -- policy: /etc/qubes-rpc/policy/qubes.PdfConvert - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.ReceiveUpdates - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: securedrop.Proxy - starts_with: |- - sd-app sd-proxy allow - @anyvm @anyvm deny - -- policy: qubes.SyncAppMenus - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: /etc/qubes-rpc/policy/qubes.UpdatesProxy - starts_with: |- - $tag:whonix-updatevm $default allow,target=sys-whonix - $tag:whonix-updatevm $anyvm deny - -- policy: /etc/qubes-rpc/policy/qubes.USB - starts_with: |- - ### BEGIN securedrop-workstation ### - sd-devices sys-usb allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: /etc/qubes-rpc/policy/qubes.USBAttach - starts_with: |- - ### BEGIN securedrop-workstation ### - sys-usb sd-devices allow,user=root - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.WindowIconUpdater - starts_with: |- - $anyvm dom0 allow - -- policy: /etc/qubes/policy.d/60-securedrop-workstation.policy - starts_with: |- - # required to suppress unsupported loopback error notifications - securedrop.Log * sd-log sd-log deny notify=no - securedrop.Log * @tag:sd-workstation sd-log allow - - qubes.Filecopy * sd-log @default ask - qubes.Filecopy * sd-log @tag:sd-receive-logs ask - qubes.Filecopy * sd-proxy @tag:sd-client allow - - qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow - qubes.OpenInVM * @tag:sd-client sd-devices allow - qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow - -- policy: /etc/qubes/policy.d/70-securedrop-workstation.policy - starts_with: |- - securedrop.Log * @anyvm @anyvm deny - - qubes.FeaturesRequest * @anyvm @tag:sd-workstation deny - qubes.FeaturesRequest * @tag:sd-workstation @anyvm deny - - qubes.Filecopy * @anyvm @tag:sd-workstation deny - qubes.Filecopy * @tag:sd-workstation @anyvm deny - - qubes.GetImageRGBA * @anyvm @tag:sd-workstation deny - qubes.GetImageRGBA * @tag:sd-workstation @anyvm deny - - qubes.OpenInVM * @anyvm @tag:sd-workstation deny - qubes.OpenInVM * @tag:sd-workstation @anyvm deny - - qubes.OpenURL * @anyvm @tag:sd-workstation deny - qubes.OpenURL * @tag:sd-workstation @anyvm deny - - qubes.StartApp * @anyvm @tag:sd-workstation deny - qubes.StartApp * @tag:sd-workstation @anyvm deny - - qubes.VMRootShell * @anyvm @tag:sd-workstation deny - qubes.VMRootShell * @tag:sd-workstation @anyvm deny - - qubes.VMShell * @anyvm @tag:sd-workstation deny - qubes.VMShell * @tag:sd-workstation @anyvm deny - diff --git a/tests/vars/qubes-rpc.yml b/tests/vars/qubes-rpc.yml index c8065615..ad8d5971 100644 --- a/tests/vars/qubes-rpc.yml +++ b/tests/vars/qubes-rpc.yml @@ -1,4 +1,4 @@ -- policy: qubes.ClipboardPaste +- policy: /etc/qubes-rpc/policy/qubes.ClipboardPaste starts_with: |- ### BEGIN securedrop-workstation ### @tag:sd-send-app-clipboard sd-app ask @@ -7,48 +7,9 @@ @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### -- policy: qubes.FeaturesRequest +- policy: /etc/qubes-rpc/policy/qubes.GetDate starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.Filecopy - starts_with: |- - ### BEGIN securedrop-workstation ### - sd-log @default ask - sd-log @tag:sd-receive-logs ask - sd-proxy @tag:sd-client allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.GetDate - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $tag:anon-vm $anyvm deny - $anyvm $anyvm allow,target=dom0 - -- policy: qubes.GetImageRGBA - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.GetRandomizedTime - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow + $tag:anon-vm $anyvm deny - policy: qubes.Gpg starts_with: |- @@ -72,45 +33,10 @@ - policy: qubes.InputMouse starts_with: |- - sys-usb dom0 allow,user=root + sys-usb dom0 ask,user=root,default_target=dom0 $anyvm $anyvm deny -- policy: qubes.NotifyTools - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: qubes.NotifyUpdates - starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - $anyvm dom0 allow - -- policy: qubes.OpenInVM - starts_with: |- - ### BEGIN securedrop-workstation ### - @tag:sd-client @dispvm:sd-viewer allow - @tag:sd-client sd-devices allow - sd-devices @dispvm:sd-viewer allow - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.OpenURL - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - -- policy: qubes.PdfConvert +- policy: /etc/qubes-rpc/policy/qubes.PdfConvert starts_with: |- ### BEGIN securedrop-workstation ### @anyvm @tag:sd-workstation deny @@ -126,23 +52,11 @@ $anyvm dom0 allow -- policy: securedrop.Log - starts_with: |- - @tag:sd-workstation sd-log allow - @anyvm @anyvm deny - - policy: securedrop.Proxy starts_with: |- sd-app sd-proxy allow @anyvm @anyvm deny -- policy: qubes.StartApp - starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### - - policy: qubes.SyncAppMenus starts_with: |- ## Note that policy parsing stops at the first match, @@ -152,28 +66,12 @@ $anyvm dom0 allow -- policy: qubes.UpdatesProxy +- policy: /etc/qubes-rpc/policy/qubes.UpdatesProxy starts_with: |- - ## Note that policy parsing stops at the first match, - ## so adding anything below "$anyvm $anyvm action" line will have no effect - - ## Please use a single # to start your custom comments - - # Upgrade all TemplateVMs through sys-whonix. - #$type:TemplateVM $default allow,target=sys-whonix - - # Upgrade Whonix TemplateVMs through sys-whonix. $tag:whonix-updatevm $default allow,target=sys-whonix - - # Deny Whonix TemplateVMs using UpdatesProxy of any other VM. $tag:whonix-updatevm $anyvm deny - # Default rule for all TemplateVMs - direct the connection to sys-net - $type:TemplateVM $default allow,target=sys-net - - $anyvm $anyvm deny - -- policy: qubes.USB +- policy: /etc/qubes-rpc/policy/qubes.USB starts_with: |- ### BEGIN securedrop-workstation ### sd-devices sys-usb allow @@ -181,7 +79,7 @@ @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### -- policy: qubes.USBAttach +- policy: /etc/qubes-rpc/policy/qubes.USBAttach starts_with: |- ### BEGIN securedrop-workstation ### sys-usb sd-devices allow,user=root @@ -189,20 +87,49 @@ @tag:sd-workstation @anyvm deny ### END securedrop-workstation ### -- policy: qubes.VMRootShell +- policy: qubes.WindowIconUpdater starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### + $anyvm dom0 allow -- policy: qubes.VMShell +- policy: /etc/qubes/policy.d/60-securedrop-workstation.policy starts_with: |- - ### BEGIN securedrop-workstation ### - @anyvm @tag:sd-workstation deny - @tag:sd-workstation @anyvm deny - ### END securedrop-workstation ### + # required to suppress unsupported loopback error notifications + securedrop.Log * sd-log sd-log deny notify=no + securedrop.Log * @tag:sd-workstation sd-log allow -- policy: qubes.WindowIconUpdater + qubes.Filecopy * sd-log @default ask + qubes.Filecopy * sd-log @tag:sd-receive-logs ask + qubes.Filecopy * sd-proxy @tag:sd-client allow + + qubes.OpenInVM * @tag:sd-client @dispvm:sd-viewer allow + qubes.OpenInVM * @tag:sd-client sd-devices allow + qubes.OpenInVM * sd-devices @dispvm:sd-viewer allow + +- policy: /etc/qubes/policy.d/70-securedrop-workstation.policy starts_with: |- - $anyvm dom0 allow + securedrop.Log * @anyvm @anyvm deny + + qubes.FeaturesRequest * @anyvm @tag:sd-workstation deny + qubes.FeaturesRequest * @tag:sd-workstation @anyvm deny + + qubes.Filecopy * @anyvm @tag:sd-workstation deny + qubes.Filecopy * @tag:sd-workstation @anyvm deny + + qubes.GetImageRGBA * @anyvm @tag:sd-workstation deny + qubes.GetImageRGBA * @tag:sd-workstation @anyvm deny + + qubes.OpenInVM * @anyvm @tag:sd-workstation deny + qubes.OpenInVM * @tag:sd-workstation @anyvm deny + + qubes.OpenURL * @anyvm @tag:sd-workstation deny + qubes.OpenURL * @tag:sd-workstation @anyvm deny + + qubes.StartApp * @anyvm @tag:sd-workstation deny + qubes.StartApp * @tag:sd-workstation @anyvm deny + + qubes.VMRootShell * @anyvm @tag:sd-workstation deny + qubes.VMRootShell * @tag:sd-workstation @anyvm deny + + qubes.VMShell * @anyvm @tag:sd-workstation deny + qubes.VMShell * @tag:sd-workstation @anyvm deny + From b31d0acdf35cf5248acbe2dcd9372483dfde424f Mon Sep 17 00:00:00 2001 From: Michael Z Date: Thu, 23 Jun 2022 12:00:48 -0400 Subject: [PATCH 11/14] Remove 4.0 support from launcher/updater --- launcher/sdw_updater_gui/Updater.py | 14 +++++++----- launcher/tests/fixtures/os-release-qubes-4.0 | 7 ------ launcher/tests/test_updater.py | 10 +++++---- launcher/tests/test_updaterapp.py | 8 +++---- launcher/tests/test_util.py | 23 +++++++++----------- 5 files changed, 28 insertions(+), 34 deletions(-) delete mode 100644 launcher/tests/fixtures/os-release-qubes-4.0 diff --git a/launcher/sdw_updater_gui/Updater.py b/launcher/sdw_updater_gui/Updater.py index 34cd05fc..5f8cca5e 100644 --- a/launcher/sdw_updater_gui/Updater.py +++ b/launcher/sdw_updater_gui/Updater.py @@ -31,6 +31,8 @@ # logic to leverage the Qubes Python API. MIGRATION_DIR = "/tmp/sdw-migrations" # nosec +DEBIAN_VERSION = "bullseye" + sdlog = Util.get_logger(module=__name__) detail_log = Util.get_logger(prefix=DETAIL_LOGGER_PREFIX, module=__name__) @@ -39,13 +41,13 @@ # In the future, we could use qvm-prefs to extract this information. current_vms = { "fedora": "fedora-35", - "sd-viewer": "sd-large-buster-template", - "sd-app": "sd-small-buster-template", - "sd-log": "sd-small-buster-template", - "sd-devices": "sd-large-buster-template", - "sd-proxy": "sd-small-buster-template", + "sd-viewer": "sd-large-{}-template".format(DEBIAN_VERSION), + "sd-app": "sd-small-{}-template".format(DEBIAN_VERSION), + "sd-log": "sd-small-{}-template".format(DEBIAN_VERSION), + "sd-devices": "sd-large-{}-template".format(DEBIAN_VERSION), + "sd-proxy": "sd-small-{}-template".format(DEBIAN_VERSION), "sd-whonix": "whonix-gw-16", - "sd-gpg": "sd-small-buster-template", + "sd-gpg": "sd-small-{}-template".format(DEBIAN_VERSION), } current_templates = set([val for key, val in current_vms.items() if key != "dom0"]) diff --git a/launcher/tests/fixtures/os-release-qubes-4.0 b/launcher/tests/fixtures/os-release-qubes-4.0 deleted file mode 100644 index 567f3464..00000000 --- a/launcher/tests/fixtures/os-release-qubes-4.0 +++ /dev/null @@ -1,7 +0,0 @@ -NAME=Qubes -VERSION="4.0 (R4.0)" -ID=qubes -VERSION_ID=4.0 -PRETTY_NAME="Qubes 4.0 (R4.0)" -ANSI_COLOR="0;31" -CPE_NAME="cpe:/o:ITL:qubes:4.0" diff --git a/launcher/tests/test_updater.py b/launcher/tests/test_updater.py index a672c9b0..7d5c5a9d 100644 --- a/launcher/tests/test_updater.py +++ b/launcher/tests/test_updater.py @@ -27,6 +27,8 @@ "sd-devices", ] +DEBIAN_VERSION = "bullseye" + TEST_RESULTS_OK = { "dom0": UpdateStatus.UPDATES_OK, "fedora": UpdateStatus.UPDATES_OK, @@ -491,8 +493,8 @@ def test_shutdown_and_start_vms( ] template_vm_calls = [ call("fedora-35"), - call("sd-large-buster-template"), - call("sd-small-buster-template"), + call("sd-large-{}-template".format(DEBIAN_VERSION)), + call("sd-small-{}-template".format(DEBIAN_VERSION)), call("whonix-gw-16"), ] app_vm_calls = [ @@ -537,8 +539,8 @@ def test_shutdown_and_start_vms_sysvm_fail( ] template_vm_calls = [ call("fedora-35"), - call("sd-large-buster-template"), - call("sd-small-buster-template"), + call("sd-large-{}-template".format(DEBIAN_VERSION)), + call("sd-small-{}-template".format(DEBIAN_VERSION)), call("whonix-gw-16"), ] error_calls = [ diff --git a/launcher/tests/test_updaterapp.py b/launcher/tests/test_updaterapp.py index 930675cf..5bb5a29a 100644 --- a/launcher/tests/test_updaterapp.py +++ b/launcher/tests/test_updaterapp.py @@ -39,7 +39,7 @@ def setUpClass(cls): def tearDownClass(cls): cls._app.quit() - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") @mock.patch("UpdaterApp.subprocess.check_output", return_value=b"none") def test_netcheck_no_network_should_fail(self, mocked_output, mocked_qubes_version): """ @@ -61,7 +61,7 @@ def test_netcheck_no_qubes_should_fail_with_error(self, mocked_error, mocked_qub assert mocked_error.called @mock.patch("subprocess.check_output", return_value=b"full") - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") def test_netcheck_should_succeed(self, mocked_qubes_version, mocked_output): """ When the network connectivity check is run in Qubes @@ -70,7 +70,7 @@ def test_netcheck_should_succeed(self, mocked_qubes_version, mocked_output): """ assert updater_app._is_netcheck_successful() - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") @mock.patch("UpdaterApp.logger.error") @mock.patch("subprocess.check_output", return_value=b"none") def test_updater_app_with_no_connectivity_should_error( @@ -85,7 +85,7 @@ def test_updater_app_with_no_connectivity_should_error( updater_app_dialog._check_network_and_update() assert self._is_network_fail_view(updater_app_dialog) - @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.0") + @mock.patch("UpdaterApp.Util.get_qubes_version", return_value="4.1") @mock.patch("subprocess.check_output", return_value=b"full") @mock.patch("UpdaterApp.logger.info") @mock.patch("UpdaterApp.UpgradeThread") diff --git a/launcher/tests/test_util.py b/launcher/tests/test_util.py index 1d7d367d..c91f789f 100644 --- a/launcher/tests/test_util.py +++ b/launcher/tests/test_util.py @@ -22,6 +22,8 @@ path_to_util = os.path.join(os.path.dirname(os.path.abspath(__file__)), relpath_util) util = SourceFileLoader("Util", path_to_util).load_module() +DEBIAN_VERSION = "bullseye" + @mock.patch("Util.sdlog.error") @mock.patch("Util.sdlog.warning") @@ -200,7 +202,6 @@ def test_for_conflicting_process( @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), @@ -209,7 +210,7 @@ def test_for_conflicting_process( @mock.patch("Util.sdlog.error") @mock.patch("Util.sdlog.warning") @mock.patch("Util.sdlog.info") -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_detect_qubes( mocked_info, mocked_warning, mocked_error, os_release_fixture, version_contains ): @@ -232,7 +233,6 @@ def test_detect_qubes( @pytest.mark.parametrize( "os_release_fixture,expected_qt_version", [ - ("os-release-qubes-4.0", 4), ("os-release-qubes-4.1", 5), ("os-release-ubuntu", 4), ("no-such-file", 4), @@ -242,7 +242,7 @@ def test_detect_qubes( @mock.patch("Util.sdlog.error") @mock.patch("Util.sdlog.warning") @mock.patch("Util.sdlog.info") -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_pick_qt( mocked_info, mocked_warning, @@ -282,7 +282,7 @@ def test_pick_bad_qt(mocked_info, mocked_warning, mocked_error, env_override): """ mocked_env = {"SDW_UPDATER_QT": env_override} with mock.patch.dict("os.environ", mocked_env), mock.patch( - "Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0") + "Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1") ), pytest.raises(ValueError): util.get_qt_version() @@ -303,13 +303,12 @@ def test_get_logger(): @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), ], ) -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_is_sdapp_halted_yes(os_release_fixture, version_contains): """ When sd-app state is 'Halted' @@ -317,7 +316,7 @@ def test_is_sdapp_halted_yes(os_release_fixture, version_contains): """ output = bytes( "NAME STATE CLASS LABEL TEMPLATE\nsd-app" - " Halted AppVM yellow sd-small-buster-template\n", + " Halted AppVM yellow sd-small-{}-template\n".format(DEBIAN_VERSION), "utf-8", ) @@ -329,13 +328,12 @@ def test_is_sdapp_halted_yes(os_release_fixture, version_contains): @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), ], ) -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) def test_is_sdapp_halted_no(os_release_fixture, version_contains): """ When sd-app is not Halted (i.e. Running, Pasued) @@ -343,7 +341,7 @@ def test_is_sdapp_halted_no(os_release_fixture, version_contains): """ output = bytes( "NAME STATE CLASS LABEL TEMPLATE\nsd-app" - " Paused AppVM yellow sd-small-buster-template\n", + " Paused AppVM yellow sd-small-{}-template\n".format(DEBIAN_VERSION), "utf-8", ) @@ -355,13 +353,12 @@ def test_is_sdapp_halted_no(os_release_fixture, version_contains): @pytest.mark.parametrize( "os_release_fixture,version_contains", [ - ("os-release-qubes-4.0", "4.0"), ("os-release-qubes-4.1", "4.1"), ("os-release-ubuntu", None), ("no-such-file", None), ], ) -@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.0")) +@mock.patch("Util.OS_RELEASE_FILE", os.path.join(FIXTURES_PATH, "os-release-qubes-4.1")) @mock.patch("subprocess.check_output", side_effect=subprocess.CalledProcessError(1, "check_output")) def test_is_sdapp_halted_error(patched_subprocess, os_release_fixture, version_contains): """ From 621696f5d12ffd27cb7003e7192c6b9d1603f552 Mon Sep 17 00:00:00 2001 From: Michael Z Date: Thu, 23 Jun 2022 14:20:47 -0400 Subject: [PATCH 12/14] Stop building unnecessary fc25 rpms --- scripts/build-dom0-rpm | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/scripts/build-dom0-rpm b/scripts/build-dom0-rpm index 54ad218a..f32d3de1 100755 --- a/scripts/build-dom0-rpm +++ b/scripts/build-dom0-rpm @@ -27,22 +27,14 @@ export SOURCE_DATE_EPOCH # Place tarball where rpmbuild will find it cp dist/*.tar.gz rpm-build/SOURCES/ -# Build for Qubes 4.0.x and 4.1.x, for which dom0 is based on -# fedora-25 and fedora-32, respectively. -for i in 25 32; do - # dom0 defaults to python3.5 in fedora-25 - python_version="python3.5" - if [[ $i = 32 ]]; then - python_version="python3.8" - fi - dist=".fc${i}" - rpmbuild \ - --quiet \ - --define "_topdir $PWD/rpm-build" \ - --define "dist $dist" \ - --define "_python_version $python_version" \ - -bb --clean "rpm-build/SPECS/securedrop-workstation-dom0-config.spec" -done +python_version="python3.8" +dist=".fc32" +rpmbuild \ + --quiet \ + --define "_topdir $PWD/rpm-build" \ + --define "dist $dist" \ + --define "_python_version $python_version" \ + -bb --clean "rpm-build/SPECS/securedrop-workstation-dom0-config.spec" printf '\nBuild complete! RPMs and their checksums are:\n\n' find rpm-build/ -type f -iname '*.rpm' -print0 | sort -zV | xargs -0 sha256sum From 8060842fcf2a99c639b4c232f5219f72662e0ee9 Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Thu, 23 Jun 2022 16:15:47 -0700 Subject: [PATCH 13/14] Remove Qt5 print statement --- launcher/sdw-launcher.py | 1 - 1 file changed, 1 deletion(-) diff --git a/launcher/sdw-launcher.py b/launcher/sdw-launcher.py index a8fbf6be..e225b53b 100755 --- a/launcher/sdw-launcher.py +++ b/launcher/sdw-launcher.py @@ -8,7 +8,6 @@ import argparse if Util.get_qt_version() == 5: - print("Using Qt5 (experimental)") from PyQt5.QtWidgets import QApplication else: from PyQt4.QtGui import QApplication From d2a2a523b978f00e0a68c36b60c900721e9b7dd9 Mon Sep 17 00:00:00 2001 From: Cory Francis Myers Date: Thu, 23 Jun 2022 17:55:26 -0700 Subject: [PATCH 14/14] test: expect "org.gnome.eog.desktop" on bullseye After freedomofpress/securedrop-debian-packaging#349, this change is required for SD_Viewer_Tests.test_mime_types() to pass on Debian bullseye (thus, Qubes 4.1) and will fail on Debian buster (thus, Qubes 4.0). --- tests/vars/sd-viewer.mimeapps | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/vars/sd-viewer.mimeapps b/tests/vars/sd-viewer.mimeapps index 6d44163b..00a680e6 100644 --- a/tests/vars/sd-viewer.mimeapps +++ b/tests/vars/sd-viewer.mimeapps @@ -21,11 +21,11 @@ video/x-theora+ogg=org.gnome.Totem.desktop video/mp4=org.gnome.Totem.desktop video/x-msvideo=org.gnome.Totem.desktop video/x-ms-wmv=org.gnome.Totem.desktop -image/jpeg=eog.desktop -image/gif=eog.desktop +image/jpeg=org.gnome.eog.desktop +image/gif=org.gnome.eog.desktop image/tiff=org.gnome.Evince.desktop -image/png=eog.desktop -image/svg+xml=eog.desktop +image/png=org.gnome.eog.desktop +image/svg+xml=org.gnome.eog.desktop image/vnd.djvu=org.gnome.Evince.desktop application/vnd.rar=org.gnome.FileRoller.desktop application/zip=org.gnome.FileRoller.desktop