Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provisioning a Journalist Workstation fails without the site-specific file #6903

Closed
nathandyer opened this issue Aug 2, 2023 · 2 comments · Fixed by #6905
Closed

Provisioning a Journalist Workstation fails without the site-specific file #6903

nathandyer opened this issue Aug 2, 2023 · 2 comments · Fixed by #6905
Assignees
@zenmonkeykstop
Milestone
SecureDrop 2.7.0

Comments

@nathandyer
Copy link
Contributor

Description

As of the 2.6.0 release, and specifically with the changes here, it is now no longer possible to provision a Journalist Workstation drive with only the files described in our documentation.

Steps to Reproduce

  1. Follow the procedure to copy the required files for a Journalist Tails USB
  2. Run the ./securedrop-admin tailsconfig command
  3. Command fails due to the missing site-specific file, which is only present on Admin Workstations

Expected Behavior

The ./securedrop-admin tailsconfig runs correctly without error

Actual Behavior

./securedrop-admin tailsconfig returns an error due to the missing site-specific file

Comments

We may want to consider adjusting our QA procedures, to include a Journalist Workstation provisioning step (which likely would have caught this earlier)
@zenmonkeykstop zenmonkeykstop self-assigned this Aug 2, 2023
@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Aug 2, 2023
edited
Loading

AFAICT this code was added several years back, not in 2.6.0, and there's a check in the main.yml for this role to only create ssh aliases if the file does exist, so it's not immediately clear why it's failing now.

@zenmonkeykstop zenmonkeykstop moved this to In Progress in SecureDrop dev cycle Aug 2, 2023
@cfm
Copy link
Member

cfm commented Aug 2, 2023
edited
Loading

@zenmonkeykstop, this prompts me to revise the initial interpretation I offered @nathandyer yesterday:

  1. https://github.com/freedomofpress/securedrop/blame/32d6fcec91d8a2ee2d33d5df64645ab6efc2a62b/install_files/ansible-base/roles/tails-config/tasks/create_ssh_aliases.yml#L2-L3 is old (v0.7.0) but runs on Admin Workstations only, to provision configure SSH.
  2. https://github.com/freedomofpress/securedrop/blame/32d6fcec91d8a2ee2d33d5df64645ab6efc2a62b/install_files/ansible-base/roles/tails-config/tasks/install_shell_extension.yml#L2-L3 is new (v2.6.0) and runs on both Admin and Journalist Workstations, to configure the GNOME Shell extension, including SSH.

(2)'s bf20c4f imports the app_hostname and monitor_hostname variables from site-specific rather than reading them directly out of that file, which would have had to present in any case.

However, you could make the case that install_shell_extension doesn't need to know the {app,monitor}_hostnames, since:

  1. on Admin Workstations, it could just hard-code ssh {app,mon} and let the SSH aliases configured by create_ssh_aliases do the trick; and
  2. on Journalist Workstations, these menu items aren't present at all.

In other words, bf20c4f was maybe a different spelling of something we don't need after all.

@zenmonkeykstop zenmonkeykstop mentioned this issue Aug 2, 2023
Merged
6 tasks
@zenmonkeykstop zenmonkeykstop moved this from In Progress to Under Review in SecureDrop dev cycle Aug 3, 2023
@nathandyer nathandyer mentioned this issue Aug 3, 2023
Closed
5 tasks
@github-project-automation github-project-automation bot moved this from Under Review to Done in SecureDrop dev cycle Aug 8, 2023
@legoktm legoktm added this to the SecureDrop 2.7.0 milestone Aug 8, 2023
@legoktm legoktm mentioned this issue Aug 9, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zenmonkeykstop zenmonkeykstop

Labels
None yet
Projects
SecureDrop dev cycle
Archived in project
Milestone
SecureDrop 2.7.0
Development

Successfully merging a pull request may close this issue.

Update shell extension tasks to check for site-specific file freedomofpress/securedrop
4 participants
@legoktm @cfm @zenmonkeykstop @nathandyer