Provision submission key fingerprint in config.json to sd-svs

The SecureDrop client expects a file named config.json in /home/user/.securedrop_client/ containing the journalist key fingerprint. This key is used to encrypt replies to the submission (journalist key), so that replies can be decrypted by journalists in the client. This is because replies are encrypted in the client. /home/user/.securedrop_client folder is populated on first run, and since it's the home directory, must be applied to `sd-svs` and not `sd-svs-template` dom0 config.json file should now contain the GPG fingerprint of the submission key, which will populate config.json file in sd-svs.
freedomofpress · Jul 17, 2019 · 8fff04c · 8fff04c
1 parent 605d2fa
commit 8fff04c
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -39,6 +39,7 @@ sd-gpg: prep-salt ## Provisions SD GPG keystore VM
 sd-svs: prep-salt ## Provisions SD SVS VM
 	sudo qubesctl top.enable sd-svs
 	sudo qubesctl top.enable sd-svs-files
+	sudo qubesctl top.enable sd-svs-config
 	sudo qubesctl --show-output --targets sd-svs-template state.highstate
 	sudo qubesctl --show-output --targets sd-svs state.highstate
 

diff --git a/config.json.example b/config.json.example
@@ -1,4 +1,5 @@
 {
+  "submission_key_fpr": "65A1B5FF195B56353CC63DFFCC40EF1228271441",
   "hidserv": {
     "hostname": "avgfxawdn6c3coe3.onion",
     "key": "Il8Xas7uf6rjtc0LxYwhrx"

diff --git a/dom0/sd-svs-config.sls b/dom0/sd-svs-config.sls
@@ -0,0 +1,24 @@
+##
+# sd-svs-config
+# ========
+#
+# Moves files into place on sd-svs
+#
+#
+
+# populate config.json for sd-svs. This contains the journalist_key_fingerprint
+# used to encrypt replies
+
+{% import_json "sd/config.json" as d %}
+
+install-securedrop-proxy-yaml-config:
+  file.managed:
+    - name: /home/user/.securedrop_client/config.json
+    - source: salt://sd/sd-svs/config.json.j2
+    - template: jinja
+    - context:
+        submission_fpr: {{ d.submission_key_fpr}}
+    - user: user
+    - group: user
+    - mode: 0600
+    - makedirs: True
diff --git a/dom0/sd-svs-config.top b/dom0/sd-svs-config.top
@@ -0,0 +1,3 @@
+base:
+  sd-svs:
+    - sd-svs-config
diff --git a/dom0/sd-svs-files.sls b/dom0/sd-svs-files.sls
@@ -5,7 +5,7 @@
 # sd-svs-files
 # ========
 #
-# Moves files into place on sd-svs
+# Moves files into place on sd-svs-template
 #
 ##
 include:

diff --git a/sd-svs/config.json.j2 b/sd-svs/config.json.j2
@@ -0,0 +1 @@
+{"journalist_key_fingerprint": "{{ submission_fpr }}"}
diff --git a/tests/test_svs.py b/tests/test_svs.py
@@ -1,3 +1,4 @@
+import json
 import unittest
 
 from base import SD_VM_Local_Test
@@ -26,6 +27,14 @@ def test_mimeapps(self):
     def test_sd_client_package_installed(self):
         self.assertTrue(self._package_is_installed("securedrop-client"))
 
+    def test_sd_client_config(self):
+        with open("config.json") as c:
+            config = json.load(c)
+            submission_fpr = config['submission_key_fpr']
+
+        line = '{{"journalist_key_fingerprint": "{}"}}'.format(submission_fpr)
+        self.assertFileHasLine("/home/user/.securedrop_client/config.json", line)
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Tests)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"journalist_key_fingerprint": "{{ submission_fpr }}"}