Removes tor-apt repo from securedrop-config

As part of the 0.12.0 release, we're consolidating the separate tor-apt
repo into part of the main apt.freedom.press repository. As such, we
must clean up references to the old tor-apt repository on disk.
Accordingly, increments the version of the `securedrop-config` package.

Includes updates to relevant Ansible logic, for backwards compatibility,
as well as config tests, which aim to ensure that the old tor-specific
apt repos are not configured anywhere on the system.

install_files/ansible-base/group_vars/all/securedrop

@@ -41,8 +41,6 @@ appserver_dependencies:
   - supervisor
   - libpython2.7-dev
 
-tor_apt_repo_url: https://tor-apt.freedom.press
-
 # Enable Tor over SSH by default
 enable_ssh_over_tor: true
 

install_files/ansible-base/group_vars/securedrop_application_server.yml

@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-config-0.1.1+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-config-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-ossec-agent-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - "{{ securedrop_app_code_deb }}.deb"
   - "ossec-agent-3.0.0-amd64.deb"

install_files/ansible-base/group_vars/securedrop_monitor_server.yml

@@ -7,7 +7,7 @@ ip_info:
 ### Used by the install_local_deb_pkgs role ###
 local_deb_packages:
   - "securedrop-keyring-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
-  - "securedrop-config-0.1.1+{{ securedrop_app_code_version }}-amd64.deb"
+  - "securedrop-config-0.1.2+{{ securedrop_app_code_version }}-amd64.deb"
   - "securedrop-ossec-server-3.0.0+{{ securedrop_app_code_version }}-amd64.deb"
   - ossec-server-3.0.0-amd64.deb
 

install_files/ansible-base/roles/common/templates/security.list

@@ -3,4 +3,3 @@ deb-src http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-sec
 deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe
 deb-src http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security universe
 deb [arch=amd64] {{ apt_repo_url }} {{ ansible_distribution_release }} main
-deb {{ tor_apt_repo_url }} {{ ansible_distribution_release }} main

install_files/ansible-base/roles/tor-hidden-services/defaults/main.yml

@@ -2,7 +2,3 @@
 tor_hidden_services_parent_dir: /var/lib/tor/services
 tor_user: debian-tor
 enable_ssh_over_tor: true
-
-# Enabling support for trusty by default. Can be overridden to evaluate
-# xenial support.
-tor_apt_target_distro: "{{ ansible_distribution_release }}"

install_files/ansible-base/roles/tor-hidden-services/tasks/install_tor.yml

@@ -7,12 +7,10 @@
     - apt
     - tor
 
-- name: Setup Tor apt repo.
-  apt_repository:
-    filename: tor_apt_freedom_press
-    repo: deb {{ tor_apt_repo_url }} {{ tor_apt_target_distro }} main
-    state: present
-  register: add_tor_apt_repo
+- name: Remove Tor apt repo, so FPF repo is used.
+  file:
+    path: /etc/apt/sources.list.d/tor_apt_freedom_press.list
+    state: absent
   tags:
     - apt
     - tor

install_files/securedrop-config/DEBIAN/control

@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: SecureDrop Team <[email protected]>
 Homepage: https://securedrop.org
 Package: securedrop-config
-Version: 0.1.1+0.12.0~rc1
+Version: 0.1.2+0.12.0~rc1
 Architecture: all
 Description: Establishes baseline system state for running SecureDrop.
  Configures apt repositories.

install_files/securedrop-config/DEBIAN/postinst

@@ -40,17 +40,25 @@ allow_apt_user_in_iptables() {
     fi
 }
 
-case "$1" in
-    configure)
-
+manage_tor_repo_config() {
     # Ensure official Tor repo entry is removed, so that only FPF mirror is used.
     rm -f /etc/apt/sources.list.d/deb_torproject_org_torproject_org.list
 
-    # Repoint tor repositories to FPF mirror
+    # Ensure FPF mirror config is removed, so that only primary FPF repo is used
+    rm -f /etc/apt/sources.list.d/tor_apt_freedom_press.list
+
+    # Remove references to separate Tor-specific repositories
     apt_security_list="/etc/apt/security.list"
     if [ -f "$apt_security_list" ]; then
-        sed -i 's/deb\.torproject\.org\/torproject\.org/tor-apt.freedom.press/g' "$apt_security_list"
+        sed -i '/deb\.torproject\.org\/torproject\.org/d' "$apt_security_list"
+        sed -i '/tor-apt\.freedom\.press/d' "$apt_security_list"
     fi
+}
+
+case "$1" in
+    configure)
+
+    manage_tor_repo_config
     remove_2fa_tty_req
     disable_upgrade_prompt
 

molecule/builder-trusty/tests/vars.yml

@@ -2,7 +2,7 @@
 securedrop_version: "0.12.0~rc1"
 ossec_version: "3.0.0"
 keyring_version: "0.1.2"
-config_version: "0.1.1"
+config_version: "0.1.2"
 grsec_version: "4.4.167"
 
 # These values will be interpolated with values populated above

molecule/libvirt-staging-xenial/ansible-override-vars.yml

@@ -9,5 +9,4 @@ ssh_ip: "{{ ansible_default_ipv4.address }}"
 # Override "xenial" target with trusty, since we don't have a xenial
 # channel in the apt repo yet.
 apt_repo_target_distro: trusty
-tor_apt_target_distro: trusty
 securedrop_staging_install_target_distro: xenial

molecule/testinfra/staging/common/test_cron_apt.py

@@ -41,7 +41,6 @@ def test_cron_apt_config(File):
   'deb http://security.ubuntu.com/ubuntu {securedrop_target_platform}-security universe',
   'deb-src http://security.ubuntu.com/ubuntu {securedrop_target_platform}-security universe',
   'deb [arch=amd64] {fpf_apt_repo_url} {securedrop_target_platform} main',
-  'deb https://tor-apt.freedom.press {securedrop_target_platform} main',
 ])
 def test_cron_apt_repo_list(host, repo):
     """

molecule/testinfra/staging/common/test_tor_mirror.py

@@ -2,19 +2,17 @@
 import pytest
 
 
-@pytest.mark.skipif(
-        os.environ.get('CIRCLE_BRANCH', 'na').startswith('release'),
-        reason="Release branches will use tor-apt-test repo")
-def test_tor_mirror_present(host):
+@pytest.mark.parametrize('repo_file', [
+    "/etc/apt/sources.list.d/deb_torproject_org_torproject_org.list",
+])
+def test_tor_mirror_absent(host, repo_file):
     """
-    Ensure the FPF mirror of the Tor apt repo, tor-apt.freedom.press,
-    is configured. This repository required manual updating with current
-    tor releases, to avoid breakage of untested updates.
+    Ensure that neither the Tor Project repo, nor the FPF mirror of the
+    Tor Project repo, tor-apt.freedom.press, are configured. We've moved
+    to hosting Tor packages inside the primary FPF apt repo.
     """
-    f = '/etc/apt/sources.list.d/tor_apt_freedom_press.list'
-
-    regex = ('^deb https:\/\/tor-apt\.freedom\.press trusty main$')
-    assert host.file(f).contains(regex)
+    f = host.file(repo_file)
+    assert not f.exists
 
 
 def test_tor_keyring_absent(host):
@@ -54,42 +52,20 @@ def test_tor_mirror_fingerprint(host, tor_key_info):
     assert tor_key_info not in c.stdout
 
 
-@pytest.mark.parametrize('filename', [
-    '/etc/apt/security.list',
-    '/etc/apt/sources.list.d',
+@pytest.mark.parametrize('repo_pattern', [
+    'deb.torproject.org',
+    'tor-apt.freedom.press',
+    'tor-apt-test.freedom.press',
 ])
-def test_tor_project_repo_absent(host, filename):
+def test_tor_repo_absent(host, repo_pattern):
     """
     Ensure that no apt source list files contain the entry for
     the official Tor apt repo, since we don't control issuing updates
     in that repo. We're mirroring it to avoid breakage caused by
     untested updates (which has broken prod twice to date).
     """
-    c = host.run("grep -riP 'deb\.torproject\.org' {}".format(filename))
+    cmd = "grep -rF '{}' /etc/apt/".format(repo_pattern)
+    c = host.run(cmd)
     # Grep returns non-zero when no matches, and we want no matches.
     assert c.rc != 0
     assert c.stdout == ""
-
-
-def test_tor_project_repo_files_absent(host):
-    """
-    Ensure that specific apt source list files are absent,
-    having been 'hidden' via the securedrop-config package.
-    """
-    f = "/etc/apt/sources.list.d/deb_torproject_org_torproject_org.list"
-    assert not host.file(f).exists
-
-
-def test_tor_mirror_repo_declared_only_once(host):
-    """
-    The apt repo config is written both via the `securedrop-config`
-    package and via Ansible at install time. The filename logic
-    was slightly different for both between 0.5 and 0.6, so let's
-    ensure that we've cleaned up adequately, and the tor-apt mirror
-    is declared on the system only once.
-    """
-    c = host.command("grep -rl tor-apt /etc/apt/")
-    assert c.rc == 0
-    files_found = c.stdout.rstrip("\n").split("\n")
-    # Two files are expected, cron-apt and one apt repo
-    assert len(files_found) == 2

molecule/virtualbox-staging-xenial/ansible-override-vars.yml

@@ -9,6 +9,5 @@ ssh_ip: "{{ ansible_default_ipv4.address }}"
 # Override "xenial" target with trusty, since we don't have a xenial
 # channel in the apt repo yet.
 apt_repo_target_distro: trusty
-tor_apt_target_distro: trusty
 
 securedrop_staging_install_target_distro: xenial