From 2db056dabd70571dc12a8c772a997a83dd0f9bbd Mon Sep 17 00:00:00 2001 From: Kevin O'Gorman Date: Tue, 23 Feb 2021 13:54:43 -0500 Subject: [PATCH 1/2] Added check to prevent v2 installs on Focal instances --- install_files/ansible-base/securedrop-prod.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/install_files/ansible-base/securedrop-prod.yml b/install_files/ansible-base/securedrop-prod.yml index 706a28ab78..53809c8688 100755 --- a/install_files/ansible-base/securedrop-prod.yml +++ b/install_files/ansible-base/securedrop-prod.yml @@ -28,6 +28,15 @@ max_fail_percentage: 0 any_errors_fatal: yes pre_tasks: + - name: Verify that v2 onion services are not enabled on a Focal install + assert: + that: + - "v2_onion_services|bool != true" + fail_msg: >- + V2 services were enabled via ./securedrop-admin sdconfig, but are not + available on Focal. Please run sdconfig again, disabling v2 services. + when: ansible_distribution_release == 'focal' + - name: Check if install has been done before stat: path: /var/www/securedrop From 0f3c4139b38facca03b21cee296f9b8a7e5dd00c Mon Sep 17 00:00:00 2001 From: Erik Moeller Date: Tue, 23 Feb 2021 15:53:55 -0800 Subject: [PATCH 2/2] Clarified sdconfig warning language for SecureDrop 1.8.0 I took the liberty to rescue a code comment from the other PR which might help others to reason about securedrop-admin. --- admin/securedrop_admin/__init__.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/admin/securedrop_admin/__init__.py b/admin/securedrop_admin/__init__.py index daf9960f9d..7c4f7f0fa9 100755 --- a/admin/securedrop_admin/__init__.py +++ b/admin/securedrop_admin/__init__.py @@ -89,7 +89,23 @@ class JournalistAlertEmailException(Exception): # https://mypy.readthedocs.io/en/stable/generics.html#declaring-decorators _FuncT = TypeVar('_FuncT', bound=Callable[..., Any]) -# (var, default, type, prompt, validator, transform, condition) +# Configuration description tuples drive the CLI user experience and the +# validation logic of the securedrop-admin tool. A tuple is in the following +# format. +# +# (var, default, type, prompt, validator, transform, condition): +# +# var configuration variable name (will be stored in `site-specific`) +# default default value (can be a callable) +# type configuration variable type +# prompt text prompt presented to the user +# validator input validator based on `prompt_toolkit`'s Validator class +# transform transformation function to run on input +# condition condition under which this prompt is shown, receives the +# in-progress configuration object as input. Used for "if this +# then that" branching of prompts. +# +# The mypy type description of the format follows. _DescEntryType = Tuple[str, _T, Type[_T], str, Optional[Validator], Optional[Callable], Callable] @@ -442,9 +458,8 @@ def __init__(self, args: argparse.Namespace) -> None: str.split, lambda config: True), ('v2_onion_services', self.check_for_v2_onion(), bool, - 'WARNING: For security reasons, support for v2 onion services ' + - 'will be removed in March 2021. ' + - 'Do you want to enable v2 onion services?', + 'WARNING: v2 onion services cannot be installed on servers ' + + 'running Ubuntu 20.04. Do you want to enable v2 onion services?', SiteConfig.ValidateYesNo(), lambda x: x.lower() == 'yes', lambda config: True),