cfm
commented
2 years ago - Install target: NUC11s
- Tails version: 4.29 → 5.0
- Test Scenario: Tails upgrade
- SSH over Tor: yes
- Release candidate:
2.3.2-rc1 - General notes: Some testinfra failures. Once the Tails environment is upgraded to Tails 5.0, the test plan itself is fragile around the Updater, but everything checks out as long as you don't (allow the Updater to) downgrade to
2.3.1.
Basic Server Testing
- [x] After installing the testinfra dependencies, all tests in
./securedrop-admin verifyare passing:- Install dependencies on Admin Workstation with
cd ~/Persistent/securedrop && ./securedrop-admin setup -t - Run tests with
./securedrop-admin verify(this will take a while) - Remove test dependencies:
rm -rf admin/.venv3/ && ./securedrop-admin setup
- Install dependencies on Admin Workstation with
Exceptions:
FAILED common/test_automatic_updates.py::test_automatic_updates_dependencies[paramiko:/mon]
FAILED common/test_automatic_updates.py::test_cron_apt_config[paramiko:/mon]
FAILED common/test_automatic_updates.py::test_unattended_upgrades_functional[paramiko:/app]- [x] QA Matrix checks pass
Command Line User Generation
- [x] Can successfully add admin user and login
Administration
- [x] I have backed up and successfully restored the app server following the backup documentation
- [x] If doing upgrade testing, make a backup on 2.3.1 and restore this backup on this release candidate
- [x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
- [x] Can successfully add journalist account with HOTP authentication
Application Acceptance Testing
Source Interface
Landing page base cases
- [x] JS warning bar does not appear when using Security Slider high
- [x] JS warning bar does appear when using Security Slider Low
First submission base cases
- [x] On generate page, refreshing page produces a new 7-word codename
- [x] On submit page, empty submissions produce flashed message
- [x] On submit page, short message submitted successfully
- [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
- [x] On submit page, file less than 500 MB submitted successfully
Returning source base cases
- [x] Nonexistent codename cannot log in
- [x] Empty codename cannot log in
- [x] Legitimate codename can log in
- [x] Returning user can view journalist replies - need to log into journalist interface to test
Journalist Interface
Login base cases
- [x] Can log in with 2FA tokens
- [x] incorrect password cannot log in
- [x] invalid 2fa token cannot log in
- [x] 2fa immediate reuse cannot log in
- [x] Journalist account with HOTP can log in
Index base cases
- [x] Filter by codename works
- [x] Starring and unstarring works
- [x] Click select all selects all submissions
- [x] Selecting all and clicking "Download" works
Individual source page
- [x] You can submit a reply and a flashed message and new row appears
- [x] You cannot submit an empty reply
- [x] Clicking "Delete Source Account" and the source and docs are deleted
- [x] You can click on a document and successfully decrypt using application private key
Basic Tails Testing
After updating to this release candidate and running securedrop-admin tailsconfig
- [x] The Updater GUI appears on boot
- [x] Updating to 2.3.1 is successful
2.3.2 release-specific changes
Tails Upgrade, Tails 4.29 to Tails 5.0
- on the 4.29 workstation with the 2.3.2 rc code deployed:
- [x] verify that the clean install cases above are passing
Except for securedrop-admin verify failures logged above.
-
perform a manual upgrade using a Tails 5.0 reference USB
-
[x] reboot the admin workstation and verify that the upgrade completed successfully and the persistent volume is available
-
[x] run
cd Persistent/securedrop && ./securedrop-admin tailsconfigand verify that an error message indicating that a Tails 4 virtualenv was detected and deleted is displayed -
[x] run
./securedrop-admin setupand verify that it completes successfully -
[x] verify that the clean install cases above complete successfully
-
[x] ./securedrop-admin setup completed successfully
-
[x] apt-cache policy ccontrol shows that ccontrol is not installed
-
[x] the admin sdconfig, install, and tailsconfig commands completed successfully
-
[x] the servers are accessible over ssh and the SI and JI are available via desktop shortcuts
-
[x] backup and restore work correctly
-
[x] the JI and SSH services are still available after restarting the network connection.
-
For application testing, repeated only those cases involving the Admin Workstation:
- [x] After installing the testinfra dependencies, all tests in
./securedrop-admin verifyare passing:
FAILED common/test_automatic_updates.py::test_all_packages_updated[paramiko:/app]
FAILED common/test_automatic_updates.py::test_unattended_upgrades_functional[paramiko:/mon]
FAILED common/test_automatic_updates.py::test_all_packages_updated[paramiko:/mon]
FAILED common/test_automatic_updates.py::test_unattended_upgrades_functional[paramiko:/app]
```
=================================== FAILURES ===================================
__________________ test_all_packages_updated[paramiko://app] ___________________
[gw1] linux -- Python 3.9.2 /home/amnesia/Persistent/securedrop/admin/.venv3/bin/python
host = - [x] QA Matrix checks pass
...
- [x] I have backed up and successfully restored the app server following the backup documentation
- [x] If doing upgrade testing, make a backup on 2.3.1 and restore this backup on this release candidate
...
-
[x] Can successfully add journalist account with HOTP authentication
-
restart the network connection
- [x] verify that the GUI updater is displayed
- [x] verify that the update can be performed and the current release code (2.3.1) is deployed.
Yup, and breaks the 2.3.2-rc1 virtualenv! ;-) Required to recover:
amnesia@amnesia:~/Persistent/securedrop$ rm -rf admin/.venv3
amnesia@amnesia:~/Persistent/securedrop$ git checkout 2.3.2-rc1
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin setup
amnesia@amnesia:~/Persistent/securedrop$ ./securedrop-admin tailsconfigThen a network bounce triggers the SecureDrop Updater prompt as expected.
zenmonkeykstop
eaon
This is a tracking issue for the release of SecureDrop 2.3.2
Tentatively scheduled as follows:
Pre-release announcement: 2022-05-03 Release date: 2022-05-05
Release manager: KOG Deputy release manager: TBD Communications manager:: TBD (As this is a hotfix release with no translated string changes, no LM is assigned.)
SecureDrop maintainers and testers: As you QA 2.3.2, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release".
Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.
QA Matrix for 2.3.2
Test Plan for 2.3.2
Prepare release candidate (2.3.2~rc1)
2.3.2~rc1on test apt serverAfter each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and release-specific testing below in comments to this ticket.
Final release
releasebranch in the LFS repo)releasebranch in the LFS repo for the debs)mainin the LFS repo)mainand verify new docs build in securedrop-docs repoPost release
securedrop-docsand Wagtaildevelop