From 8fff04c8ba5be315e00f05d51913f7e479e948fc Mon Sep 17 00:00:00 2001 From: mickael e Date: Wed, 17 Jul 2019 16:36:34 -0400 Subject: [PATCH] Provision submission key fingerprint in config.json to sd-svs The SecureDrop client expects a file named config.json in /home/user/.securedrop_client/ containing the journalist key fingerprint. This key is used to encrypt replies to the submission (journalist key), so that replies can be decrypted by journalists in the client. This is because replies are encrypted in the client. /home/user/.securedrop_client folder is populated on first run, and since it's the home directory, must be applied to `sd-svs` and not `sd-svs-template` dom0 config.json file should now contain the GPG fingerprint of the submission key, which will populate config.json file in sd-svs. --- Makefile | 1 + config.json.example | 1 + dom0/sd-svs-config.sls | 24 ++++++++++++++++++++++++ dom0/sd-svs-config.top | 3 +++ dom0/sd-svs-files.sls | 2 +- sd-svs/config.json.j2 | 1 + tests/test_svs.py | 9 +++++++++ 7 files changed, 40 insertions(+), 1 deletion(-) create mode 100644 dom0/sd-svs-config.sls create mode 100644 dom0/sd-svs-config.top create mode 100644 sd-svs/config.json.j2 diff --git a/Makefile b/Makefile index 0e22f447..27437b31 100644 --- a/Makefile +++ b/Makefile @@ -39,6 +39,7 @@ sd-gpg: prep-salt ## Provisions SD GPG keystore VM sd-svs: prep-salt ## Provisions SD SVS VM sudo qubesctl top.enable sd-svs sudo qubesctl top.enable sd-svs-files + sudo qubesctl top.enable sd-svs-config sudo qubesctl --show-output --targets sd-svs-template state.highstate sudo qubesctl --show-output --targets sd-svs state.highstate diff --git a/config.json.example b/config.json.example index 1c6cdaf4..d82800cc 100644 --- a/config.json.example +++ b/config.json.example @@ -1,4 +1,5 @@ { + "submission_key_fpr": "65A1B5FF195B56353CC63DFFCC40EF1228271441", "hidserv": { "hostname": "avgfxawdn6c3coe3.onion", "key": "Il8Xas7uf6rjtc0LxYwhrx" diff --git a/dom0/sd-svs-config.sls b/dom0/sd-svs-config.sls new file mode 100644 index 00000000..dd72aa1d --- /dev/null +++ b/dom0/sd-svs-config.sls @@ -0,0 +1,24 @@ +## +# sd-svs-config +# ======== +# +# Moves files into place on sd-svs +# +# + +# populate config.json for sd-svs. This contains the journalist_key_fingerprint +# used to encrypt replies + +{% import_json "sd/config.json" as d %} + +install-securedrop-proxy-yaml-config: + file.managed: + - name: /home/user/.securedrop_client/config.json + - source: salt://sd/sd-svs/config.json.j2 + - template: jinja + - context: + submission_fpr: {{ d.submission_key_fpr}} + - user: user + - group: user + - mode: 0600 + - makedirs: True diff --git a/dom0/sd-svs-config.top b/dom0/sd-svs-config.top new file mode 100644 index 00000000..f3044991 --- /dev/null +++ b/dom0/sd-svs-config.top @@ -0,0 +1,3 @@ +base: + sd-svs: + - sd-svs-config diff --git a/dom0/sd-svs-files.sls b/dom0/sd-svs-files.sls index c46d312a..3e45ba5c 100644 --- a/dom0/sd-svs-files.sls +++ b/dom0/sd-svs-files.sls @@ -5,7 +5,7 @@ # sd-svs-files # ======== # -# Moves files into place on sd-svs +# Moves files into place on sd-svs-template # ## include: diff --git a/sd-svs/config.json.j2 b/sd-svs/config.json.j2 new file mode 100644 index 00000000..fd47ef38 --- /dev/null +++ b/sd-svs/config.json.j2 @@ -0,0 +1 @@ +{"journalist_key_fingerprint": "{{ submission_fpr }}"} diff --git a/tests/test_svs.py b/tests/test_svs.py index 61133469..49083bbe 100644 --- a/tests/test_svs.py +++ b/tests/test_svs.py @@ -1,3 +1,4 @@ +import json import unittest from base import SD_VM_Local_Test @@ -26,6 +27,14 @@ def test_mimeapps(self): def test_sd_client_package_installed(self): self.assertTrue(self._package_is_installed("securedrop-client")) + def test_sd_client_config(self): + with open("config.json") as c: + config = json.load(c) + submission_fpr = config['submission_key_fpr'] + + line = '{{"journalist_key_fingerprint": "{}"}}'.format(submission_fpr) + self.assertFileHasLine("/home/user/.securedrop_client/config.json", line) + def load_tests(loader, tests, pattern): suite = unittest.TestLoader().loadTestsFromTestCase(SD_SVS_Tests)