From 50f3cd625cb5f9bd661dacf46daa3e49a1eef6dd Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Wed, 11 Mar 2020 12:29:24 -0400
Subject: [PATCH] Create clean-salt script

Run clean-salt as part of securedrop-admin uninstall action
---
 Makefile                    |  8 +-------
 scripts/clean-salt          | 27 +++++++++++++++++++++++++++
 scripts/securedrop-admin.py |  7 ++-----
 3 files changed, 30 insertions(+), 12 deletions(-)
 create mode 100755 scripts/clean-salt

diff --git a/Makefile b/Makefile
index 28675f51..bb9c20ac 100644
--- a/Makefile
+++ b/Makefile
@@ -77,13 +77,7 @@ sd-log: prep-salt ## Provisions SD logging VM
 	sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template,sd-log state.highstate
 
 clean-salt: assert-dom0 ## Purges SD Salt configuration from dom0
-	@echo "Purging Salt config..."
-	@sudo rm -rf /srv/salt/sd
-	@sudo rm -rf /srv/salt/launcher
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'fpf*' -delete
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'sd*' -delete
-	@sudo find /srv/salt -maxdepth 1 -type f -iname 'securedrop*' -delete
-	@sudo find /srv/salt/_tops -lname '/srv/salt/sd-*' -delete
+	@./scripts/clean-salt
 
 prep-salt: assert-dom0 ## Configures Salt layout for SD workstation VMs
 	@./scripts/prep-salt
diff --git a/scripts/clean-salt b/scripts/clean-salt
new file mode 100755
index 00000000..5d5a8dc6
--- /dev/null
+++ b/scripts/clean-salt
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Utility script to clean Saltstack config
+# files for the SecureDrop Workstation.
+set -e
+set -u
+set -o pipefail
+
+
+# Hardcoded location of SecureDrop Workstation salt config files
+SDW_SALT_DIR="/srv/salt/sd"
+SALT_DIR="/srv/salt"
+
+echo "Purging Salt config..."
+
+# If SDW Salt config dir already exists, delete all SecureDrop Workstation
+# related Salt files. In production scenarios, most of these will be provisioned
+# by the RPM package, but the top files and configs will not, so we should use a
+# common script to ensure all config is removed.
+
+if [[ ! -d "$SDW_SALT_DIR" ]]; then
+    sudo rm -rf ${SDW_SALT_DIR}
+    sudo rm -rf ${SALT_DIR}/launcher
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'fpf*' -delete
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'sd*' -delete
+    sudo find ${SALT_DIR} -maxdepth 1 -type f -iname 'securedrop*' -delete
+    sudo find ${SALT_DIR}/_tops -lname '/srv/salt/sd-*' -delete
+fi
diff --git a/scripts/securedrop-admin.py b/scripts/securedrop-admin.py
index d247bd42..9ced4552 100644
--- a/scripts/securedrop-admin.py
+++ b/scripts/securedrop-admin.py
@@ -97,13 +97,10 @@ def perform_uninstall():
         )
         print("Reverting dom0 configuration")
         subprocess.check_call(
-            ["sudo", "rm", "/srv/salt/sd/sd-journalist.sec"]
-        )
-        subprocess.check_call(
-            ["sudo", "rm", "/srv/salt/sd/config.json"]
+            ["sudo", "qubesctl", "state.sls", "sd-clean-all"]
         )
         subprocess.check_call(
-            ["sudo", "qubesctl", "state.sls", "sd-clean-all"]
+            [os.path.join(SCRIPTS_PATH, "scripts/clean-salt")]
         )
         print("Uninstalling Template")
         subprocess.check_call(