freedomofpress / securedrop

GitHub repository for the SecureDrop whistleblower platform. Do not submit tips here!

https://securedrop.org/

Other

3.62k stars 686 forks source link

Release SecureDrop 2.6.0 #6798

Closed zenmonkeykstop closed 1 year ago

zenmonkeykstop commented 1 year ago

This is a tracking issue for the release of SecureDrop 2.6.0

Tentatively scheduled as follows:

Pre-release announcement: 06-15-2023 Release date: 06-22-2023

Release manager: @legoktm Deputy release manager: @zenmonkeykstop Localization manager: @cfm Communications manager: @nathandyer

SecureDrop maintainers and testers: As you QA 2.6.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release".

Test debian packages will be posted on https://apt-test.freedom.press signed with the test key.

QA Matrix for 2.6.0

Test Plan for 2.6.0

Prepare release candidate (2.6.0~rc1)

[ ] Link to latest version of Tails, including release candidates, to test against during QA
[x] Prepare 2.6.0~rc1 release changelog
[x] Branch off release/2.6.0 from develop
[x] Prepare 2.6.0
[x] Build debs, preserving build log, and put up 2.6.0~rc1 on test apt server
[x] Commit build log.

After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and release-specific testing below in comments to this ticket.

Final release

[x] Ensure builder in release branch is updated and/or update builder image
[x] Push signed tag
[x] Pre-Flight: Test updater logic in Tails (apt-qa tracks the release branch in the LFS repo)
[x] Build final Debian packages(and preserve build log)
[x] Commit package build log to https://github.com/freedomofpress/build-logs
[x] Pre-Flight: Test that install and upgrade from 2.5.2 to 2.6.0 works w/ prod repo debs (apt-qa.freedom.press polls the release branch in the LFS repo for the debs)
[x] Flip apt QA server to prod status (merge to main in the LFS repo)
[x] Merge Docs branch changes to main and verify new docs build in securedrop-docs repo
[x] Prepare release messaging

Post release

[x] Create GitHub release object
[x] Once release object is created, update versions in securedrop-docs and Wagtail
[x] Verify new docs show up on https://docs.securedrop.org
[x] Publish announcements
[ ] Merge changelog back to develop
[ ] Update roadmap wiki page: https://github.com/freedomofpress/securedrop/wiki/Development-Roadmap

cfm commented 1 year ago

Environment

Install target: virtual machines
Tails version: 5.14
Test Scenario: clean installation
SSH over Tor: yes
Release candidate: 2.6.0-rc1
General notes: The servers passed all tests. Admin Workstation testing surfaced #6847.

(.venv) root@sd-staging:~/securedrop# virsh domifaddr libvirt-prod-focal_app-prod
 Name       MAC address          Protocol     Address
-------------------------------------------------------------------------------
 vnet5      52:54:00:4c:4d:c1    ipv4         192.168.121.215/24
(.venv) root@sd-staging:~/securedrop# virsh domifaddr libvirt-prod-focal_mon-prod
 Name       MAC address          Protocol     Address
-------------------------------------------------------------------------------
 vnet7      52:54:00:c4:7e:e5    ipv4         192.168.121.36/24

Basic Server Testing

[x] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
- Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
- Run tests with ./securedrop-admin verify (this will take a while)
- Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
[x] QA Matrix checks pass

Command Line User Generation

[x] Can successfully add admin user and login

(Optional) Administration

~~I have backed up and successfully restored the app server following the backup documentation~~
~~If doing upgrade testing, make a backup on 2.5.2 and restore this backup on this release candidate~~
[x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
~~Can successfully add journalist account with HOTP authentication~~

(Optional) Application Acceptance Testing

Source Interface

Landing page base cases

[x] JS warning bar does not appear when using Security Slider high
[x] JS warning bar does appear when using Security Slider Low

First submission base cases

[x] On generate page, refreshing page produces a new 7-word codename
[x] On submit page, empty submissions produce flashed message
[x] On submit page, short message submitted successfully
[x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
[x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

[x] Nonexistent codename cannot log in
[x] Empty codename cannot log in
[x] Legitimate codename can log in
[x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

[x] Can log in with 2FA tokens
[x] incorrect password cannot log in
[x] invalid 2fa token cannot log in
[x] 2fa immediate reuse cannot log in
~~Journalist account with HOTP can log in~~

Index base cases

[x] Filter by codename works
[x] Starring and unstarring works
[x] Click select all selects all submissions
[x] Selecting all and clicking "Download" works

Individual source page

[x] You can submit a reply and a flashed message and new row appears
[x] You cannot submit an empty reply
[x] Clicking "Delete Source Account" and the source and docs are deleted
[x] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

[x] The Updater GUI appears on boot

2.6.0 release-specific changes

[x] #6657 - switch to argon2id hashes
- Upgrade only Before upgrading, create a journalist or admin account
- Upgrade only After upgrading, verify that existing journalist accounts can still log in
- [x] Verify that new journalist accounts can log in
- [x] In the application db, verify that all journalist account password hashes start with '$argon2id$...'
[x] #6681 - remove i18n globals
- [x] in SI, locale switcher works as expected
- [x] In JI, locale switcher works as expected

[x] #6738 - add descriptive titles
- [x] SI pages have descriptive titles based on the pages' main headers
- [x] JI pages have descriptive titles based on the pages' main headers
[x] #6768 - update CSP policy
- [x] In the SI, the Cross-Origin-Resource-Policy header is set with value same-origin
- [x] In the JI, the Cross-Origin-Resource-Policy header is set with value same-origin
[x] #6826 - remove stale pending sources
- On the app server, generate more than 100 pending sources using eg:
```
sudo -u www-data bash
cd /var/www/securedrop/
./loaddata.py --source-count 110 --files-per-source 0 --messages-per-source 0 --replies-per-source 0
```
- Trigger the removal service with sudo systemctl start securedrop-remove-pending-sources.service
- [x] Verify that only 100 pending sources remain in the database

agrant@app-prod:~$ sudo -u www-data sqlite3 /var/lib/securedrop/db.sqlite "SELECT COUNT(*) FROM sources;" 
111 
vagrant@app-prod:~$ sudo systemctl start securedrop-remove-pending-sources.service 
vagrant@app-prod:~$ sudo -u www-data sqlite3 /var/lib/securedrop/db.sqlite "SELECT COUNT(*) FROM sources;" 
101

[x] #6712 - add a Gnome shell extension
- Fresh install only After running ./securedrop-admin tailsconfig, verify that:
- [x] The playbook message directs you to reboot
- [x] After rebooting, a SecureDrop menu is available in the top menubar including options to access the SI and JI, SSH to servers, access the Persistent directory, and start KeePassXC
- ~~after setting up a Journalist Workstation and rebooting, the same menu and options are available with the exception of the SSH options.~~
- Upgrade only Upgrade the Tails Workstation to the latest RC by running the following commands in a terminal:
```
cd Persistent/securedrop
git checkout 2.6.0-rcN   # Where N is latest version
./securedrop-admin setup
./securedrop-admin tailsconfig
```

6847

~~verify that:~~
- ~~The tailsconfig playbook message directs you to reboot~~
- ~~After rebooting, a SecureDrop menu is available in the top menubar including options to access the SI and JI, SSH to servers, access the Persistent directory, and start KeePassXC~~
- ~~after setting up a Journalist Workstation and rebooting, the same menu and options are available with the exception of the SSH options.~~

legoktm commented 1 year ago

Environment

Install target: NUC11 (app) & NUC 10 (mon)
Tails version: 5.14
Test Scenario: Clean install
SSH over Tor: yes
Release candidate: rc1
General notes: Looks good but there's a visual glitch where the label for English is actually "English (United States)" and cuts off the globe icon.

Basic Server Testing

[ ] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
- Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
- Run tests with ./securedrop-admin verify (this will take a while)
- Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
[ ] QA Matrix checks pass

Command Line User Generation

[x] Can successfully add admin user and login

(Optional) Administration

[ ] I have backed up and successfully restored the app server following the backup documentation
[ ] If doing upgrade testing, make a backup on 2.5.2 and restore this backup on this release candidate
[ ] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
[ ] Can successfully add journalist account with HOTP authentication

(Optional) Application Acceptance Testing

Source Interface

Landing page base cases

[x] JS warning bar does not appear when using Security Slider high
[x] JS warning bar does appear when using Security Slider Low

First submission base cases

[x] On generate page, refreshing page produces a new 7-word codename
[x] On submit page, empty submissions produce flashed message
[x] On submit page, short message submitted successfully
[ ] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
[x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

[x] Nonexistent codename cannot log in
[x] Empty codename cannot log in
[x] Legitimate codename can log in
[x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

[x] Can log in with 2FA tokens
[x] incorrect password cannot log in
[x] invalid 2fa token cannot log in
[x] 2fa immediate reuse cannot log in
[ ] Journalist account with HOTP can log in

Index base cases

[x] Filter by codename works
[x] Starring and unstarring works
[x] Click select all selects all submissions
[x] Selecting all and clicking "Download" works

Individual source page

[x] You can submit a reply and a flashed message and new row appears
[x] You cannot submit an empty reply
[x] Clicking "Delete Source Account" and the source and docs are deleted
[x] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

[x] The Updater GUI appears on boot

2.6.0 release-specific changes

[x] #6657 - switch to argon2id hashes
- [x] Verify that new journalist accounts can log in
- [x] In the application db, verify that all journalist account password hashes start with '$argon2id$...'
[x] #6681 - remove i18n globals
- [x] in SI, locale switcher works as expected
- [x] In JI, locale switcher works as expected

[x] #6738 - add descriptive titles
- [x] SI pages have descriptive titles based on the pages' main headers
- [x] JI pages have descriptive titles based on the pages' main headers
[x] #6768 - update CSP policy
- [x] In the SI, the Cross-Origin-Resource-Policy header is set with value same-origin
- [x] In the JI, the Cross-Origin-Resource-Policy header is set with value same-origin
[x] #6826 - remove stale pending sources
- On the app server, generate more than 100 pending sources using eg:
```
sudo -u www-data bash
cd /var/www/securedrop/
./loaddata.py --source-count 110 --files-per-source 0 --messages-per-source 0 --replies-per-source 0
```
- Trigger the removal service with sudo systemctl start securedrop-remove-pending-sources.service
- [x] Verify that only 100 pending sources remain in the database
[x] #6712 - add a Gnome shell extension
- Fresh install only After running ./securedrop-admin tailsconfig, verify that:
- [x] The playbook message directs you to reboot
- [x] After rebooting, a SecureDrop menu is available in the top menubar including options to access the SI and JI, SSH to servers, access the Persistent directory, and start KeePassXC
- [x] after setting up a Journalist Workstation and rebooting, the same menu and options are available with the exception of the SSH options.

nathandyer commented 1 year ago

Environment

Install target: NUC12 (app) & NUC 11 (mon)
Tails version: 5.13
Test Scenario: Clean install
SSH over Tor: yes
Release candidate: rc1
General notes: No issues spotted!

Basic Server Testing

[x] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
- Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
- Run tests with ./securedrop-admin verify (this will take a while)
- Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
[x] QA Matrix checks pass

Command Line User Generation

[x] Can successfully add admin user and login

(Optional) Administration

[ ] ~I have backed up and successfully restored the app server following [the backup documentation]~(https://docs.securedrop.org/en/latest/backup_and_restore.html)
[ ] ~If doing upgrade testing, make a backup on 2.5.2 and restore this backup on this release candidate~
[x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
[ ] ~Can successfully add journalist account with HOTP authentication~

(Optional) Application Acceptance Testing

Source Interface

Landing page base cases

[x] JS warning bar does not appear when using Security Slider high
[x] JS warning bar does appear when using Security Slider Low

First submission base cases

[x] On generate page, refreshing page produces a new 7-word codename
[x] On submit page, empty submissions produce flashed message
[x] On submit page, short message submitted successfully
[ ] ~On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded~
[x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

[x] Nonexistent codename cannot log in
[x] Empty codename cannot log in
[x] Legitimate codename can log in
[x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

[x] Can log in with 2FA tokens
[x] incorrect password cannot log in
[x] invalid 2fa token cannot log in
[x] 2fa immediate reuse cannot log in
[ ] ~Journalist account with HOTP can log in~

Index base cases

[x] Filter by codename works
[x] Starring and unstarring works
[x] Click select all selects all submissions
[x] Selecting all and clicking "Download" works

Individual source page

[x] You can submit a reply and a flashed message and new row appears
[x] You cannot submit an empty reply
[x] Clicking "Delete Source Account" and the source and docs are deleted
[x] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

[x] The Updater GUI appears on boot

2.6.0 release-specific changes

[x] #6657 - switch to argon2id hashes
- [x] Verify that new journalist accounts can log in
- [ ] ~In the application db, verify that all journalist account password hashes start with '$argon2id$...'~ NOTE: Unsure how to directly check DB from prod server
[x] #6681 - remove i18n globals
- [x] in SI, locale switcher works as expected
- [x] In JI, locale switcher works as expected

[x] #6738 - add descriptive titles
- [x] SI pages have descriptive titles based on the pages' main headers
- [x] JI pages have descriptive titles based on the pages' main headers
[x] #6768 - update CSP policy
- [x] In the SI, the Cross-Origin-Resource-Policy header is set with value same-origin
- [x] In the JI, the Cross-Origin-Resource-Policy header is set with value same-origin
[x] #6826 - remove stale pending sources
- On the app server, generate more than 100 pending sources using eg:
```
sudo -u www-data bash
cd /var/www/securedrop/
./loaddata.py --source-count 110 --files-per-source 0 --messages-per-source 0 --replies-per-source 0
```
- Trigger the removal service with sudo systemctl start securedrop-remove-pending-sources.service
- [x] Verify that only 100 pending sources remain in the database (Note: related to above, wasn't sure how to check DB directly, but the behavior on multiple passes confirmed the correct number of pending sources)
[x] #6712 - add a Gnome shell extension
- Fresh install only After running ./securedrop-admin tailsconfig, verify that:
- [x] The playbook message directs you to reboot
- [x] After rebooting, a SecureDrop menu is available in the top menubar including options to access the SI and JI, SSH to servers, access the Persistent directory, and start KeePassXC
- [ ] ~after setting up a Journalist Workstation and rebooting, the same menu and options are available with the exception of the SSH options.~

cfm commented 1 year ago

Environment

Install target: NUC11s
Tails version: 5.13
Test Scenario: upgrade
SSH over Tor: yes
Release candidate: 2.6.0-rc1
General notes: Rest of test plan to follow on 2.6.0-rc2.

Basic Server Testing

[x] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
- Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
- Run tests with ./securedrop-admin verify (this will take a while)
- Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
[x] QA Matrix checks pass

Truncated release-specific testing

[x] New systemd timers are firing.

sdadmin@app:~$ sudo journalctl | grep -E "securedrop-(clean-tmp|remove-pending-sources|submissions-today)" | tail -n 10
Jun 19 03:00:40 app systemd[1]: securedrop-submissions-today.service: Succeeded.
Jun 19 04:00:00 app systemd[1]: securedrop-clean-tmp.timer: Succeeded.
Jun 19 04:00:00 app systemd[1]: securedrop-remove-pending-sources.timer: Succeeded.
Jun 19 04:00:00 app systemd[1]: securedrop-submissions-today.timer: Succeeded.
Jun 20 00:00:02 app systemd[1]: securedrop-clean-tmp.service: Succeeded.
Jun 20 00:00:02 app systemd[1]: securedrop-remove-pending-sources.service: Succeeded.
Jun 20 03:00:21 app systemd[1]: securedrop-submissions-today.service: Succeeded.
Jun 20 04:00:00 app systemd[1]: securedrop-clean-tmp.timer: Succeeded.
Jun 20 04:00:00 app systemd[1]: securedrop-remove-pending-sources.timer: Succeeded.
Jun 20 04:00:00 app systemd[1]: securedrop-submissions-today.timer: Succeeded.

cfm commented 1 year ago

Environment

Install target: NUC11s
Tails version: 5.13
Test Scenario: upgrade
SSH over Tor: yes
Release candidate: 2.6.0-rc2
General notes: Except for #6866, tests check out, but see nit on #6657.

Basic Server Testing

[x] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
- Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
- Run tests with ./securedrop-admin verify (this will take a while)
- Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
[x] QA Matrix checks pass

Command Line User Generation

[x] Can successfully add admin user and login

(Optional) Administration

[x] I have backed up and successfully restored the app server following the backup documentation
[x] If doing upgrade testing, make a backup on 2.5.2 and restore this backup on this release candidate
[x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
~~Can successfully add journalist account with HOTP authentication~~

(Optional) Application Acceptance Testing

Source Interface

Landing page base cases

[x] JS warning bar does not appear when using Security Slider high
[x] JS warning bar does appear when using Security Slider Low

First submission base cases

[x] On generate page, refreshing page produces a new 7-word codename
[x] On submit page, empty submissions produce flashed message
[x] On submit page, short message submitted successfully
[x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
[x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

[x] Nonexistent codename cannot log in
[x] Empty codename cannot log in
[x] Legitimate codename can log in
[x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

[x] Can log in with 2FA tokens
[x] incorrect password cannot log in
[x] invalid 2fa token cannot log in
[x] 2fa immediate reuse cannot log in
~~Journalist account with HOTP can log in~~

Index base cases

[x] Filter by codename works
[x] Starring and unstarring works
[x] Click select all selects all submissions
[x] Selecting all and clicking "Download" works

Individual source page

[x] You can submit a reply and a flashed message and new row appears
[x] You cannot submit an empty reply
[x] Clicking "Delete Source Account" and the source and docs are deleted
[x] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

[x] The Updater GUI appears on boot

2.6.0 release-specific changes

[ ] #6657 - switch to argon2id hashes
- Upgrade only Before upgrading, create a journalist or admin account
- [x] Upgrade only After upgrading, verify that existing journalist accounts can still log in
- [x] Verify that new journalist accounts can log in
- [ ] In the application db, verify that all journalist account password hashes start with '$argon2id$...'

No, only journalists who have logged in since the upgrade to a v2.6.0 RC have updated password hashes. (This is an error in the test plan, not the implementation of #6657.)

[x] #6681 - remove i18n globals
- [x] in SI, locale switcher works as expected
- [x] In JI, locale switcher works as expected

[x] #6738 - add descriptive titles
- [x] SI pages have descriptive titles based on the pages' main headers
- [x] JI pages have descriptive titles based on the pages' main headers
[x] #6768 - update CSP policy
- [x] In the SI, the Cross-Origin-Resource-Policy header is set with value same-origin
- [x] In the JI, the Cross-Origin-Resource-Policy header is set with value same-origin

[x] #6826 - remove stale pending sources

On the app server, generate more than 100 pending sources using eg:

sudo -u www-data bash
cd /var/www/securedrop/
./loaddata.py --source-count 110 --files-per-source 0 --messages-per-source 0 --replies-per-source 0

This is a long-running instance with a useful amount of junk:

amnesia@amnesia:~$ ssh app 'sudo -u www-data sqlite3 /var/lib/securedrop/db.sqlite "SELECT COUNT(*) FROM sources;"'
177

Trigger the removal service with sudo systemctl start securedrop-remove-pending-sources.service
[x] Verify that ~~only 100~~ appropriately fewer pending sources remain in the database

This is a long-running instance with a useful amount of junk:

amnesia@amnesia:~$ ssh app sudo systemctl start securedrop-remove-pending-sources.service
amnesia@amnesia:~$ ssh app 'sudo -u www-data sqlite3 /var/lib/securedrop/db.sqlite "SELECT COUNT(*) FROM sources;"'
123

[x] #6712 - add a Gnome shell extension
- Fresh install only After running ./securedrop-admin tailsconfig, verify that:
- ~~The playbook message directs you to reboot~~
- ~~After rebooting, a SecureDrop menu is available in the top menubar including options to access the SI and JI, SSH to servers, access the Persistent directory, and start KeePassXC~~
- ~~after setting up a Journalist Workstation and rebooting, the same menu and options are available with the exception of the SSH options.~~
- Upgrade only Upgrade the Tails Workstation to the latest RC by running the following commands in a terminal:
```
cd Persistent/securedrop
git checkout 2.6.0-rcN   # Where N is latest version
./securedrop-admin setup
./securedrop-admin tailsconfig
```
- verify that:
- [x] The tailsconfig playbook message directs you to reboot
- [x] After rebooting, a SecureDrop menu is available in the top menubar including options to access the SI and JI, SSH to servers, access the Persistent directory, and start KeePassXC
- [x] after setting up a Journalist Workstation and rebooting, the same menu and options are available with the exception of the SSH options.

legoktm commented 1 year ago

Environment

Install target: NUC11 (app) + NUC10 (mon)
Tails version: 5.14
Test Scenario: clean install
SSH over Tor: yes
Release candidate: 2.6.0-rc2 with #6867 cherry-picked on top
General notes: looks ready to me. I found some more visual issues with the locale switcher when playing with it, but none are 2.6.0 regressions AFAICT (will file shortly)

Basic Server Testing

[x] After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
- Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
- Run tests with ./securedrop-admin verify (this will take a while)
- Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
[x] QA Matrix checks pass

Command Line User Generation

[x] Can successfully add admin user and login

(Optional) Administration

[ ] I have backed up and successfully restored the app server following the backup documentation
[ ] If doing upgrade testing, make a backup on 2.5.2 and restore this backup on this release candidate
[x] "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
[ ] Can successfully add journalist account with HOTP authentication

(Optional) Application Acceptance Testing

Source Interface

Landing page base cases

[x] JS warning bar does not appear when using Security Slider high
[x] JS warning bar does appear when using Security Slider Low

First submission base cases

[x] On generate page, refreshing page produces a new 7-word codename
[x] On submit page, empty submissions produce flashed message
[x] On submit page, short message submitted successfully
[ ] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
[x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

[x] Nonexistent codename cannot log in
[x] Empty codename cannot log in
[x] Legitimate codename can log in
[x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

[x] Can log in with 2FA tokens
[x] incorrect password cannot log in
[x] invalid 2fa token cannot log in
[x] 2fa immediate reuse cannot log in
[ ] Journalist account with HOTP can log in

Index base cases

[x] Filter by codename works
[x] Starring and unstarring works
[x] Click select all selects all submissions
[x] Selecting all and clicking "Download" works

Individual source page

[x] You can submit a reply and a flashed message and new row appears
[x] You cannot submit an empty reply
[x] Clicking "Delete Source Account" and the source and docs are deleted
[x] You can click on a document and successfully decrypt using application private key

Basic Tails Testing

After updating to this release candidate and running securedrop-admin tailsconfig

[x] The Updater GUI appears on boot

2.6.0 rc2 release-specific changes

[x] No ossec notifications for NameError missing hasattr
[x] Setting en_US in the locale options shows up as "English", not "English (United States)"

cfm commented 1 year ago

Environment

Install target: NUC11s
Tails version: 5.13
Test Scenario: upgrade
SSH over Tor: yes
Release candidate: 2.6.0
General notes: All happy.

Preflight testing

Basic testing

[x] Install or upgrade occurs without error (from apt-qa.freedom.press per preflight procedure)
[x] Source interface is available and version string indicates it is 2.6.0
- [x] A language other than English can be selected
[x] A message can be successfully submitted

Tails

[x] The updater GUI appears on boot
[x] The update successfully occurs to 2.6.0
[x] After reboot, updater GUI no longer appears

eloquence commented 1 year ago

Can also confirm:

[x] The updater GUI appears on boot
[x] The update successfully occurs to 2.6.0
[x] After reboot, updater GUI no longer appears

New SecureDrop menu appeared for me after reboot & connecting to network, and is working as expected.

zenmonkeykstop commented 1 year ago

Fresh install preflight checks out.