Create clean-salt script

Run clean-salt as part of securedrop-admin uninstall action
freedomofpress · Mar 11, 2020 · 50f3cd6 · 50f3cd6
1 parent d5c9839
commit 50f3cd6
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 12 deletions.
diff --git a/Makefile b/Makefile
@@ -77,13 +77,7 @@ sd-log: prep-salt ## Provisions SD logging VM
 	sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template,sd-log state.highstate
 
 clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0
-	@echo "Purging Salt config..."
-	@sudo rm -rf /srv/salt/sd
-	@sudo rm -rf /srv/salt/launcher
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'fpf*' -delete
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'sd*' -delete
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'securedrop*' -delete
-	@sudo find /srv/salt/_tops -lname '/srv/salt/sd-*' -delete
+	@./scripts/clean-salt
 
 prep-salt: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-salt

diff --git a/scripts/clean-salt b/scripts/clean-salt
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Utility script to clean Saltstack config
+# files for the SecureDrop Workstation.
+set -e
+set -u
+set -o pipefail
+
+
+# Hardcoded location of SecureDrop Workstation salt config files
+SDW_SALT_DIR="/srv/salt/sd"
+SALT_DIR="/srv/salt"
+
+echo "Purging Salt config..."
+
+# If SDW Salt config dir already exists, delete all SecureDrop Workstation
+# related Salt files. In production scenarios, most of these will be provisioned
+# by the RPM package, but the top files and configs will not, so we should use a
+# common script to ensure all config is removed.
+
+if [[ ! -d "$SDW_SALT_DIR" ]]; then
+    sudo rm -rf ${SDW_SALT_DIR}
+    sudo rm -rf ${SALT_DIR}/launcher
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'fpf*' -delete
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'sd*' -delete
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'securedrop*' -delete
+    sudo find ${SALT_DIR}/_tops -lname '/srv/salt/sd-*' -delete
+fi
diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py
@@ -97,13 +97,10 @@ def perform_uninstall():
         )
         print("Reverting dom0 configuration")
         subprocess.check_call(
-            ["sudo", "rm", "/srv/salt/sd/sd-journalist.sec"]
-        )
-        subprocess.check_call(
-            ["sudo", "rm", "/srv/salt/sd/config.json"]
+            ["sudo", "qubesctl", "state.sls", "sd-clean-all"]
         )
         subprocess.check_call(
-            ["sudo", "qubesctl", "state.sls", "sd-clean-all"]
+            [os.path.join(SCRIPTS_PATH, "scripts/clean-salt")]
         )
         print("Uninstalling Template")
         subprocess.check_call(