Merge pull request freedomofpress#974 from freedomofpress/reabsorb-up…

…dater-no-migrations

reabsorb `securedrop-updater` without migrations

.flake8

@@ -1,5 +1,5 @@
 [flake8]
-ignore: W503
+ignore = E203,W503
 max-line-length = 100
 extend-exclude = .venv
 filename =

.git-blame-ignore-revs

@@ -1 +1,2 @@
 782a04e59ae10d40085b5d8807e255143e5d05c5
+0d4c0144d01c24187c449593ca665e2f0141b507

.github/workflows/ci.yml

@@ -9,20 +9,22 @@ jobs:
     container:
       image: registry.fedoraproject.org/fedora:37
     steps:
-      - run: dnf install -y make
+      - run: dnf install -y git make
       - uses: actions/checkout@v4
       - name: Install dependencies
         run: |
           make install-deps
           pip install --require-hashes -r requirements/dev-requirements.txt
       - name: Run linters
-        run: make lint
+        run: |
+          git config --global --add safe.directory '*'
+          make lint
   build-rpm:
     runs-on: ubuntu-latest
     container:
       image: registry.fedoraproject.org/fedora:37
     steps:
-      - run: dnf install -y make git
+      - run: dnf install -y git make
       - uses: actions/checkout@v4
       - name: Install dependencies
         run: |

MANIFEST.in

@@ -4,8 +4,6 @@ include dom0/*.j2
 include dom0/*.yml
 include dom0/*.conf
 include dom0/remove-tags
-include dom0/securedrop-login
-include dom0/securedrop-launcher.desktop
 include dom0/securedrop-handle-upgrade
 include dom0/update-xfce-settings
 include README.md
@@ -15,9 +13,9 @@ include sd-proxy/*
 include sd-whonix/*
 include sd-app/*
 include sd-workstation/*
-include launcher/*.py
-include launcher/sdw_updater_gui/*.py
-include launcher/sdw_notify/*.py
-include launcher/sdw_util/*.py
+include sdw_updater/*.py
+include sdw_notify/*.py
+include sdw_util/*.py
 include usb-autoattach/*
 include files/*
+include setup.py

Makefile

@@ -44,7 +44,7 @@ reprotest: ## Check RPM package reproducibility
 install-deps:
 	sudo dnf install -y \
         git file python3-devel python3-pip python3-qt5 python3-wheel \
-		xorg-x11-server-Xvfb rpmdevtools rpmlint which libfaketime ShellCheck \
+		xorg-x11-server-Xvfb rpmdevtools rpmlint systemd-rpm-macros which libfaketime ShellCheck \
 		hostname
 
 clone: assert-dom0 ## Builds rpm && pulls the latest repo from work VM to dom0
@@ -149,13 +149,45 @@ validate: assert-dom0 ## Checks for local requirements in dev env
 # Not requiring dom0 for linting as that requires extra packages, which we're
 # not installing on dom0, so are only in the developer environment, i.e. Work VM
 
+prep-dom0: prep-dev # Copies dom0 config files
+	sudo qubesctl --show-output --targets dom0 state.highstate
+
+destroy-all: ## Destroys all VMs managed by Workstation salt config
+	./scripts/destroy-vm --all
+
+.PHONY: update-pip-requirements
+update-pip-requirements: ## Updates all Python requirements files via pip-compile.
+	pip-compile --allow-unsafe --generate-hashes --output-file=requirements/dev-requirements.txt requirements/dev-requirements.in
+
+.PHONY: venv
+venv: ## Provision a Python 3 virtualenv for development (ensure to also install OS package for PyQt5)
+	$(PYTHON3) -m venv .venv --system-site-packages
+	.venv/bin/pip install --upgrade pip wheel
+	.venv/bin/pip install --require-hashes -r "requirements/dev-requirements.txt"
+	@echo "#################"
+	@echo "Virtualenv with system-packages is complete."
+	@echo "Make sure to either install the OS package for PyQt5 or install PyQt5==5.14.2 into this virtual environment."
+	@echo "Then run: source .venv/bin/activate"
+
+.PHONY: check
+check: lint test ## Runs linters and tests
+
+.PHONY: lint
+lint: check-black check-isort flake8 bandit mypy rpmlint shellcheck ## Runs linters (black, isort, flake8, bandit rpmlint, and shellcheck)
+lint: check-black check-isort flake8 mypy bandit rpmlint shellcheck ## Runs linters (black, isort, flake8, mypy, bandit rpmlint, and shellcheck)
+
+.PHONY: bandit
+bandit: ## Runs the bandit security linter
+	bandit -ll --exclude ./.venv,./launcher/.venv -r .
+
+.PHONY: test-launcher
+test-launcher: ## Runs tests
+	$(CONTAINER) python3 -m pytest -v
+
 .PHONY: check-black
 check-black: ## Check Python source code formatting with black
 	black --check --diff .
 
-.PHONY: lint
-lint: flake8 black mypy ## Runs all linters
-
 .PHONY: black
 black: ## Update Python source code formatting with black
 	black .
@@ -166,18 +198,15 @@ check-isort: ## Check Python import organization with isort
 
 .PHONY: isort
 isort: ## Update Python import organization with isort
-	isort --diff .
+	isort .
 
 .PHONY: flake8
-flake8: ## Lints all Python files with flake8
-# Not requiring dom0 since linting requires extra packages,
-# available only in the developer environment, i.e. Work VM.
+flake8: ## Validate PEP8 compliance for Python source files
 	flake8
 
-mypy: ## Type checks Python files
-# Not requiring dom0 since linting requires extra packages,
-# available only in the developer environment, i.e. Work VM.
-	mypy
+.PHONY: mypy
+mypy:  ## Type check Python files
+	mypy .
 
 .PHONY: rpmlint
 rpmlint: ## Runs rpmlint on the spec file
@@ -187,25 +216,6 @@ rpmlint: ## Runs rpmlint on the spec file
 shellcheck: ## Runs shellcheck on all shell scripts
 	./scripts/shellcheck.sh
 
-prep-dom0: prep-dev # Copies dom0 config files
-	sudo qubesctl --show-output --targets dom0 state.highstate
-
-destroy-all: ## Destroys all VMs managed by Workstation salt config
-	./scripts/destroy-vm --all
-
-.PHONY: update-pip-requirements
-update-pip-requirements: ## Updates all Python requirements files via pip-compile.
-	pip-compile --allow-unsafe --generate-hashes --output-file=requirements/dev-requirements.txt requirements/dev-requirements.in
-
-.PHONY: venv
-venv: ## Provision a Python 3 virtualenv for development (ensure to also install OS package for PyQt5)
-	$(PYTHON3) -m venv .venv
-	.venv/bin/pip install --upgrade pip wheel
-	.venv/bin/pip install --require-hashes -r "requirements/dev-requirements.txt"
-	@echo "#################"
-	@echo "Virtualenv is complete."
-	@echo "Run: source .venv/bin/activate"
-
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" to parse lines for make targets.
 # 2. Check for second field matching, skip otherwise.

bootstrap/Dockerfile

@@ -13,4 +13,7 @@ COPY Makefile Makefile
 
 RUN make install-deps
 
+COPY requirements requirements
+RUN pip3 install --no-deps --require-hashes -r requirements/dev-requirements.txt
+
 RUN if test $USER_NAME != root ; then useradd --no-create-home --home-dir /tmp --uid $USER_ID $USER_NAME && echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ; fi

dom0/sd-clean-all.sls

@@ -8,6 +8,7 @@ set-fedora-as-default-dispvm:
     - name: qvm-check default-dvm && qubes-prefs default_dispvm default-dvm || qubes-prefs default_dispvm ''
 
 {% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
+{% set gui_user_id = salt['cmd.shell']('id -u ' + gui_user) %}
 
 {% if salt['pillar.get']('qvm:sys-usb:disposable', true) %}
 restore-sys-usb-dispvm-halt:
@@ -72,9 +73,8 @@ remove-dom0-sdw-config-files:
       - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation
       - /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test
       - /usr/share/securedrop/icons
-      - /home/{{ gui_user }}/.config/autostart/SDWLogin.desktop
-      - /usr/bin/securedrop-login
-      - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
+      - /home/{{ gui_user }}/.config/autostart/press.freedom.SecureDropUpdater.desktop
+      - /home/{{ gui_user }}/Desktop/press.freedom.SecureDropUpdater.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
       - /srv/salt/qa-switch.tar.gz
       - /srv/salt/qa-switch
@@ -90,7 +90,6 @@ remove-rpc-policy-tags:
 sd-cleanup-etc-changes:
   file.replace:
     - names:
-      - /etc/crontab
       - /etc/systemd/logind.conf
       - /etc/qubes/repo-templates/qubes-templates.repo
     - pattern: '### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###\s*'
@@ -113,3 +112,12 @@ sd-cleanup-sys-firewall:
       - qvm-run sys-firewall 'sudo rm -f /rw/config/RPM-GPG-KEY-securedrop-workstation-test'
       - qvm-run sys-firewall 'sudo rm -f /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation'
       - qvm-run sys-firewall 'sudo rm -f /etc/pki/rpm-gpg/RPM-GPG-KEY-securedrop-workstation-test'
+
+disable-systemd-units:
+  cmd.run:
+    - name: systemctl --user disable sdw-notify.timer
+    - runas: {{ gui_user }}
+    - env:
+      # Even with "runas", "systemctl --user" from root will fail unless we
+      # tell it explicitly how to connect to the user systemd.
+      - XDG_RUNTIME_DIR: /run/user/{{ gui_user_id }}

dom0/sd-dom0-files.sls

@@ -97,41 +97,23 @@ dom0-login-autostart-directory:
 
 dom0-login-autostart-desktop-file:
   file.managed:
-    - name: /home/{{ gui_user }}/.config/autostart/SDWLogin.desktop
+    - name: /home/{{ gui_user }}/.config/autostart/press.freedom.SecureDropUpdater.desktop
     - source: "salt://dom0-xfce-desktop-file.j2"
     - template: jinja
     - context:
         desktop_name: SDWLogin
         desktop_comment: Updates SecureDrop Workstation DispVMs at login
-        desktop_exec: /usr/bin/securedrop-login
+        desktop_exec: /usr/bin/sdw-login
     - user: {{ gui_user }}
     - group: {{ gui_user }}
     - mode: 664
     - require:
       - file: dom0-login-autostart-directory
 
-dom0-login-autostart-script:
-  file.managed:
-    - name: /usr/bin/securedrop-login
-    - source: "salt://securedrop-login"
-    - user: root
-    - group: root
-    - mode: 755
-
-dom0-securedrop-launcher-executables:
-  file.managed:
-    - names:
-      - /opt/securedrop/launcher/sdw-launcher.py
-      - /opt/securedrop/launcher/sdw-notify.py
-    - user: root
-    - group: root
-    - mode: 755
-    - replace: false
-
 dom0-securedrop-launcher-desktop-shortcut:
   file.managed:
-    - name: /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
-    - source: "salt://securedrop-launcher.desktop"
+    - name: /home/{{ gui_user }}/Desktop/press.freedom.SecureDropUpdater.desktop
+    - source: "salt://press.freedom.SecureDropUpdater.desktop"
     - user: {{ gui_user }}
     - group: {{ gui_user }}
     - mode: 755

dom0/sd-dom0-systemd.sls

@@ -4,6 +4,10 @@
 # Updates to systemd configuration in dom0
 ##
 
+# Identify the GUI user by group membership
+{% set gui_user = salt['cmd.shell']('groupmems -l -g qubes') %}
+{% set gui_user_id = salt['cmd.shell']('id -u ' + gui_user) %}
+
 {% import_json "sd/config.json" as d %}
 {% if d.environment == "prod" or d.environment == "staging" %}
 # Power off instead of suspend on lid close, for security reasons, but only in
@@ -21,3 +25,14 @@ apply-systemd-changes:
   cmd.run:
     - name: sudo systemctl restart systemd-logind
 {% endif %}
+
+enable-user-units:
+  cmd.run:
+    - name: |
+        systemctl --user daemon-reload
+        systemctl --user enable sdw-notify.timer
+    - runas: {{ gui_user }}
+    - env:
+      # Even with "runas", "systemctl --user" from root will fail unless we
+      # tell it explicitly how to connect to the user systemd.
+      - XDG_RUNTIME_DIR: /run/user/{{ gui_user_id }}

dom0/sd-usb-autoattach-remove.sls

@@ -1,9 +1,8 @@
 remove-usb-autoattach:
   cmd.run:
-    - names:
-      - qvm-run sys-usb 'sudo rm -f /etc/udev/rules.d/99-sd-devices.rules'
-      - qvm-run sys-usb 'sudo rm -f /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules'
-      - qvm-run sys-usb 'sudo rm -f /usr/local/bin/sd-attach-export-device'
-      - qvm-run sys-usb 'sudo udevadm control --reload'
-      - >-
+    - name: |
+        qvm-run sys-usb 'sudo rm -f /etc/udev/rules.d/99-sd-devices.rules'
+        qvm-run sys-usb 'sudo rm -f /rw/config/sd/etc/udev/rules.d/99-sd-devices.rules'
+        qvm-run sys-usb 'sudo rm -f /usr/local/bin/sd-attach-export-device'
+        qvm-run sys-usb 'sudo udevadm control --reload'
         qvm-run sys-usb 'sudo perl -i -0pe "s/### BEGIN securedrop-workstation ###.*### END securedrop-workstation ###//gms" /rw/config/rc.local'

dom0/sd-workstation.top

@@ -5,7 +5,6 @@ base:
   dom0:
     - sd-sys-vms
     - sd-dom0-files
-    - sd-dom0-crontab
     - sd-dom0-systemd
     - sd-base-template
     - sd-workstation-template

dom0/update-xfce-settings

@@ -28,7 +28,8 @@ fi
 
 # This script requires a valid DBUS session to work. When run non-interactively,
 # we assume that a sesssion is running for the current user.
-export DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u $USER)/bus"
+DBUS_SESSION_BUS_ADDRESS="unix:path=/run/user/$(id -u "$USER")/bus"
+export DBUS_SESSION_BUS_ADDRESS
 
 if [[ $TASK == "disable-unsafe-power-management" ]]; then
   echo "update-xfce-settings: Disabling unsafe power management options for user $USER"

files/destroy-vm

@@ -9,7 +9,6 @@ import sys
 
 import qubesadmin
 
-
 SDW_DEFAULT_TAG = "sd-workstation"
 
 

files/press.freedom.SecureDropUpdater.desktop

@@ -0,0 +1,7 @@
+[Desktop Entry]
+Version=1.0
+Type=Application
+Terminal=false
+Icon=securedrop
+Name=SecureDrop
+Exec=sdw-updater

files/provision-all

@@ -43,6 +43,7 @@ sudo qubesctl --show-output --max-concurrency "$max_concurrency" --skip-dom0 --t
 echo ".........................................................................."
 echo "Add SecureDrop export device handling to sys-usb"
 # If sd-fedora-39-dvm exists it's because salt determined that sys-usb was disposable
+# shellcheck disable=SC2015
 qvm-check --quiet sd-fedora-39-dvm 2> /dev/null && \
   sudo qubesctl --show-output --skip-dom0 --targets sd-fedora-39-dvm state.highstate && \
   qvm-shutdown --wait sys-usb && qvm-start sys-usb || \

files/sdw-admin.py

@@ -4,13 +4,14 @@
 packages only puts the files in place `/srv/salt` but does not apply the state, nor
 does it handle the config.
 """
-import sys
 import argparse
-import subprocess
 import os
-import qubesadmin
+import subprocess
+import sys
 from typing import List
 
+import qubesadmin
+
 SCRIPTS_PATH = "/usr/share/securedrop-workstation-dom0-config/"
 SALT_PATH = "/srv/salt/sd/"
 BASE_TEMPLATE = "debian-12-minimal"