search

freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!
https://securedrop.org/
Other
3.6k stars 685 forks source link

No longer auto-rename /etc/apt/sources.list.d/apt_test_freedom_press.list or make sure to change contents of file too #5737

Open sssoleileraaa opened 3 years ago

sssoleileraaa commented 3 years ago

Description

./securedrop-admin verify can be run after installing SecureDrop to check that the install is set up and functioning properly. If you are a developer testing SecureDrop packages hosted on the apt-test server, then you probably ran the securedrop-qa.yml playbook to replace /etc/apt/sources.list.d/apt_freedom_press.list with /etc/apt/sources.list.d/apt_test_freedom_press.list (containing the corresponding apt repo urls within the files) on your app and mon servers.

Sometimes during QA you have to run ./securedrop-admin install with changed site settings, which I believe renames the /etc/apt/sources.list.d/apt_test_freedom_press.list files on both servers to /etc/apt/sources.list.d/apt_freedom_press.list but does not change the apt repo url within the files, so it remains https://apt-test.freedom.press. Then, when you run ./securedrop-admin verify the test will fail (after about 20 minutes of run time) saying that the apt repo doesn't match the name of the source list file. The script fails and stops all remaining checks, so you have to run the securedrop-qa.yml playbook again to undo the renaming of the source file.

So two things:

(1) If we want ./securedrop-admin install to ensure that we're using our stable apt server (instead of apt-test), then we should also make sure to update the contents of the source list file to specify the correct server. (2) Since the install script overwrites our apt-test source list file, we should make it clear in the developer docs that you should run the securedrop-qa.yml playbook again before running ./securedrop-admin verify OR perhaps add an option for skipping this check if doing QA (other ideas?)

sssoleileraaa commented 3 years ago

It looks like ./securedrop_admin verify also fails on test_fpf_apt_repo.py::test_apt_repo_present if you are using the apt-test server. The output is confusing, but here is what I was able to gather while watching this long script run (a consolidated grouping of the failures and skips where some of the failures happened twice - one for the mon and one for the app):

skip test_apparmor.py::test_app_apparmor_complain
fail test_ossec_agent.py::test_ossec_keyfile_present
fail test_cron_apt.py::test_cron_apt_repo_list
fail test_fpf_apt_repo.py::test_fpf_apt_repo_present
skip test_grsecurity.py::test_pax_flags (grub-probe)
skip test_grsecurity.py::test_pax_flags (grub-mkdevicemap)
skip test_grsecurity.py::test_pax_flags (grub-script-check)
fail test_ossec_server.py::test_ossec_keyfiles (sslmanager.key)
fail test_ossec_server.py::test_ossec_keyfiles (sslmanager.cert)
pass test_ossec_server.py::test_procmail
skip test_journalist_mail.py::TestJournalistMail::test_procmail
skip test_journalist_mail.py::TestJournalistMail::test_send_encrypted_alert
skip test_journalist_mail.py::TestJournalistMail::test_missing_journalist_alert
skip test_journalist_mail.py::TestJournalistMail::test_ossec_rule_journalist
skip test_journalist_mail.py::TestJournalistMail::test_process_submissions_today
skip test_journalist_mail.py::TestJournalistMail::test_journalist_mail_notification

at the end it says:

4 failed, 7 skipped, 3 xfailed

but it looks like more tests were skipped in the output