Build Rust redwood wheel during packaging process

Use maturin to build the redwood wheel and then install it into the
virtualenv shipped in the Debian package.

A testinfra check is added that verifies the redwood wheel is importable
and is able to generate a key pair.

Fixes #6817.

builder/build-debs-securedrop.sh

@@ -4,11 +4,15 @@
 
 export PIP_DISABLE_PIP_VERSION_CHECK=1
 export PIP_PROGRESS_BAR=off
+export CARGO_TERM_COLOR=never
+export CARGO_TERM_PROGRESS_WHEN=never
 
 set -euxo pipefail
 
 # Make a copy of the source tree since we do destructive operations on it
 cp -R /src/securedrop /srv/securedrop
+cp -R /src/redwood /srv/redwood
+cp /src/Cargo.lock /srv/redwood/
 cd /srv/securedrop/
 
 # Control the version of setuptools used in the default construction of virtual environments

builder/tests/test_securedrop_deb_package.py

@@ -9,6 +9,7 @@
     subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode().strip()
 )
 DEB_PATHS = list((SECUREDROP_ROOT / "build/focal").glob("*.deb"))
+SITE_PACKAGES = "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
 
 
 @pytest.fixture(scope="module")
@@ -69,6 +70,7 @@ def test_deb_package_contains_expected_conffiles(deb: Path):
         "/var/www/securedrop/.well-known/pki-validation/",
         "/var/www/securedrop/translations/messages.pot",
         "/var/www/securedrop/translations/de_DE/LC_MESSAGES/messages.mo",
+        f"{SITE_PACKAGES}/redwood/redwood.cpython-38-x86_64-linux-gnu.so",
     ),
 )
 def test_app_code_paths(securedrop_app_code_contents: str, path: str):

molecule/testinfra/app/test_smoke.py

@@ -1,6 +1,8 @@
 """
 Basic smoke tests that verify the apps are functioning as expected
 """
+import json
+
 import pytest
 import testutils
 
@@ -31,3 +33,19 @@ def test_interface_up(host, name, url, curl_flags):
                 assert "nopenopenope" in f.content_string
     assert "200 OK" in response
     assert "Powered by" in response
+
+
+def test_redwood(host):
+    """
+    Verify the redwood wheel was built and installed properly and basic
+    functionality works
+    """
+    response = host.run(
+        "/opt/venvs/securedrop-app-code/bin/python3 -c "
+        "'import redwood; import json; print("
+        'json.dumps(redwood.generate_source_key_pair("abcde", "test@invalid")))\''
+    )
+    parsed = json.loads(response.stdout)
+    assert "-----BEGIN PGP PUBLIC KEY BLOCK-----" in parsed[0]
+    assert "-----BEGIN PGP PRIVATE KEY BLOCK-----" in parsed[1]
+    assert len(parsed[2]) == 40

securedrop/debian/rules

@@ -21,6 +21,8 @@ override_dh_installdeb:
 	echo "" > ${CURDIR}/debian/securedrop-keyring/DEBIAN/conffiles
 
 override_dh_auto_install:
+	# Build redwood wheel
+	python3 /srv/redwood/build-wheel.py --release --redwood /srv/redwood --target /srv/redwood/target
 	# Set up virtualenv and install dependencies
 	/usr/bin/python3 -m venv ./debian/securedrop-app-code/opt/venvs/securedrop-app-code
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
@@ -29,6 +31,8 @@ override_dh_auto_install:
 		pip==21.3
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
 		-r requirements/python3/requirements.txt
+	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
+		/srv/redwood/redwood-*.whl
 	# Update paths to point to install destination
 	find ./debian/securedrop-app-code/ -type f -exec sed -i "s#$(shell pwd)/debian/securedrop-app-code##" {} \;
 	dh_auto_install $@

securedrop/debian/translations.sh

@@ -1,8 +1,6 @@
 #!/bin/bash
 set -ex
 
-export PATH="${PATH}:/root/.cargo/bin"
-
 # We create the virtualenv separately from the "pip install" commands below,
 # to make error-reporting a bit more obvious. We also update beforehand,
 # beyond what the system version provides, see #6317.