Fix app creation in source.wsgi, add regression test

In journalist.wsgi and source.wsgi, we import the relvant `app` variable
so it can be executed by mod_wsgi. In bea3a0a this was accidentally
refactored to be under the `if __name__ == "__main__"` block, so it
wasn't available to be imported.

Add a documentation comment making it clear the variable needs to be
globally accessible and a regression test that mostly verifies the wsgi
files can be executed without errors.

Fixes #6741.

securedrop/journalist.py

@@ -5,6 +5,7 @@
 from sdconfig import SecureDropConfig
 
 config = SecureDropConfig.get_current()
+# app is imported by journalist.wsgi
 app = create_app(config)
 
 

securedrop/source.py

@@ -1,9 +1,11 @@
 from sdconfig import SecureDropConfig
 from source_app import create_app
 
+config = SecureDropConfig.get_current()
+# app is imported by source.wsgi
+app = create_app(config)
+
 if __name__ == "__main__":  # pragma: no cover
-    config = SecureDropConfig.get_current()
-    app = create_app(config)
     debug = getattr(config, "env", "prod") != "prod"
     # nosemgrep: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host
     app.run(debug=debug, host="0.0.0.0", port=8080)  # nosec

securedrop/tests/test_wsgi.py

@@ -0,0 +1,17 @@
+import subprocess
+import sys
+from pathlib import Path
+
+import pytest
+
+
+@pytest.mark.parametrize("filename", ("journalist.wsgi", "source.wsgi"))
+def test_wsgi(filename):
+    """
+    Verify that all setup code and imports in the wsgi files work
+
+    This is slightly hacky because it just executes the wsgi files using
+    the current virtualenv, and the paths just happen to work out.
+    """
+    path = Path(__file__).parent.parent / "debian/app-code/var/www" / filename
+    subprocess.check_call([sys.executable, str(path)])