Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eliminate flag-for-reply process #5954

Merged
merged 3 commits into from Jun 7, 2021
Merged

Eliminate flag-for-reply process #5954

merged 3 commits into from Jun 7, 2021

Conversation

rmol
Copy link
Contributor

@rmol rmol commented May 19, 2021

Status

Ready for review

Description of Changes

Fixes #1584.

This PR removes the haveged package, the checks of the entropy pool before generating source keypairs, and asynchronous source key generation. Source keys are now generated if they don't exist whenever a source visits /lookup or submits something, and the Source.flagged column and all associated code have been removed. The flag route in the journalist API is now a no-op, always returning a 200 status with a message explaining that the action is no longer needed. The is_flagged attribute of the JSON representation of sources returned from the API is now always false.

Testing

  • git checkout 1584-trust-in-disorder
  • make dev
  • Visit the source interface and create a new source.
  • In the container (docker exec -it securedrop-dev-0 bash) run sqlite3 /var/lib/securedrop/db.sqlite "select id, filesystem_id from sources order by id" and gpg --homedir /var/lib/securedrop/keys/ --list-keys to verify that the new source has a key.
  • Log in as a journalist. Navigate to any individual source page and confirm that it says "You can write a secure reply to the person who submitted these messages and/or files:".
  • Get into the dev container with docker exec -it securedrop-dev-0 bash.
  • Find the filesystem ID of the source you logged in as: sqlite3 /var/lib/securedrop/db.sqlite "select filesystem_id from sources where journalist_designation = 'its-journalist-designation'"
  • Delete the GPG keys of the source:
    • gpg --homedir /var/lib/securedrop/keys --yes --pinentry-mode=loopback --delete-secret-keys FILESYSTEM_ID
    • gpg --homedir /var/lib/securedrop/keys --yes --pinentry-mode=loopback --delete-keys FILESYSTEM_ID
  • Delete the key fingerprint cache in Redis: redis-cli del sd/crypto-util/fingerprints
  • As the journalist, reload the source page and confirm that it says: "This source has no encryption key. An encryption key will be generated for the source the next time they log in, after which you will be able to reply to the source here."
  • Submit a message as the source.
  • As the journalist, reload the source page. It should again allow you to reply to the source.
  • Log out of the source interface.
  • Delete the source's GPG keypair and clear the Redis fingerprint cache again.
  • Confirm that the journalist can no longer reply.
  • Log in as the source.
  • Confirm that the journalist can again reply.

Deployment

What could go wrong? 馃檪

I believe the changed logic will cover existing cases of sources without keys. Any source that was flagged for reply should get a key the next time they log in, simply because they don't have a key. The changed messaging in the journalist interface could be confusing for journalists who've had to flag sources for reply, but the effective flow is the same: you just have to wait for the source to return.

Checklist

If you made changes to the server application code:

  • Linting (make lint) and tests (make test) pass in the development container

If you made changes to the system configuration:

If you added or removed a file deployed with the application:

  • I have updated AppArmor rules to include the change

If you made non-trivial code changes:

  • I have written a test plan and validated it for this PR

Choose one of the following:

  • I have opened a PR in the docs repo for these changes, or will do so later
  • I would appreciate help with the documentation
  • These changes do not require documentation

rmol added 3 commits May 19, 2021 10:57
@rmol
Generate source keypairs synchronously without checking entropy pool
ef0e0c0 
The changes in sources of randomness in Linux, and libgcrypt's use of
them, have eliminated any need there might have been to check the
amount of entropy available. Keypair generation takes less than a
second on current CPUs. There's no need to defer key generation or to
perform it asynchronously.
@rmol
Drop Source.flagged
27f46ca
@rmol
Remove haveged
3832003
@rmol rmol requested a review from a team as a code owner May 19, 2021 15:43
@eloquence eloquence added this to Ready for Review in SecureDrop Team Board May 19, 2021
@rmol rmol mentioned this pull request May 19, 2021
Merged
3 tasks
@eloquence eloquence added this to the 2.0.0 milestone May 20, 2021
eloquence
eloquence reviewed May 20, 2021
View reviewed changes
securedrop/journalist_app/api.py
source.flagged = True
db.session.commit()
return jsonify({'message': 'Source flagged for reply'}), 200
return jsonify({'message': 'Sources no longer need to be flagged for reply'}), 200
Copy link
Member

@eloquence eloquence May 20, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It may be worth marking the endpoint explicitly as deprecated, to be removed in a future release.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we can mark it as deprecated in the documentation, then we don't have to update this PR.

@kushaldas kushaldas moved this from Ready for Review to Under Review in SecureDrop Team Board Jun 3, 2021
@kushaldas kushaldas self-assigned this Jun 3, 2021
kushaldas
kushaldas approved these changes Jun 4, 2021
View reviewed changes
Copy link
Contributor

@kushaldas kushaldas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went through the whole test steps, and also visually inspected the code changes.

We should mark the API deprecation in the documentation, other than this I am okay with this change.

securedrop/journalist_app/api.py
source.flagged = True
db.session.commit()
return jsonify({'message': 'Source flagged for reply'}), 200
return jsonify({'message': 'Sources no longer need to be flagged for reply'}), 200
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we can mark it as deprecated in the documentation, then we don't have to update this PR.

redshiftzero
redshiftzero approved these changes Jun 4, 2021
View reviewed changes
Copy link
Contributor

@redshiftzero redshiftzero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

visually reviewed the diff and am relying on kushal's functional review, this LGTM!

@zenmonkeykstop zenmonkeykstop merged commit 7b71108 into develop Jun 7, 2021
SecureDrop Team Board automation moved this from Under Review to Done Jun 7, 2021
@rmol rmol deleted the 1584-trust-in-disorder branch June 8, 2021 16:23
@zenmonkeykstop zenmonkeykstop mentioned this pull request Jun 14, 2021
Closed
39 tasks
@rmol rmol mentioned this pull request Jun 22, 2021
Merged
5 tasks
@rocodes rocodes mentioned this pull request Jun 28, 2021
Merged
@cfm cfm mentioned this pull request Jul 28, 2021
Merged
3 tasks
@zenmonkeykstop zenmonkeykstop mentioned this pull request Nov 19, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eloquence eloquence eloquence left review comments

@kushaldas kushaldas kushaldas approved these changes

@redshiftzero redshiftzero redshiftzero approved these changes

Assignees

@kushaldas kushaldas

Labels
None yet
Projects
No open projects
SecureDrop Team Board
Done
Milestone
2.0.0
Development

Successfully merging this pull request may close these issues.

Get rid of entropy checks
5 participants
@rmol @eloquence @kushaldas @redshiftzero @zenmonkeykstop