Add security notification script sdw-notify #445
Conversation
|
|
||
| relpath_notify = "../sdw_notify/Notify.py" | ||
| path_to_notify = os.path.join(os.path.dirname(os.path.abspath(__file__)), relpath_notify) | ||
| notify = SourceFileLoader("Notify", path_to_notify).load_module() |
There was a problem hiding this comment.
This is the pattern for relative imports that was already used in sdw-launcher, updated here to avoid the deprecation warning caused by the use of imp. However, I'm sure a cleaner relative import is possible and would be happy to refactor both files - pointers appreciated!
There was a problem hiding this comment.
The path insertions aren't ideal. Since we have an RPM package now, we can install the Python modules at the system level and import them directly. Let's not do that now, especially with #450 still pending review. Not critical pre-pilot, but would make the updater/notifier code much more maintainable.
There was a problem hiding this comment.
Yeah I agree. Note that this is just copying the approach that was already in place (slightly revised to avoid a deprecation warning for imp), but we should definitely clean the launcher organization up a bit.
launcher/tests/test_notify.py
Outdated
| p = Pool(processes=1) | ||
| lock_result = p.apply(notify.can_obtain_updater_lock) | ||
| p.close() | ||
| assert lock_result is False |
There was a problem hiding this comment.
I've struggled to find a clean way to provoke a lock conflict in a test that works well across platforms. Pointers appreciated here as well. This method does appear to work, but as far as I can tell, it causes the code coverage for those lines to be misreported.
There was a problem hiding this comment.
I think here it would be fine to mock open or lockf and have IOException (not tested, but as example, using the following decorators :
@mock.patch("builtins.open", side_effect=IOError())
and
@mock.patch("fcntl.lockf", side_effect=IOError())
depending on which part of the lock logic you want to test
| @@ -26,6 +26,7 @@ jobs: | |||
| virtualenv .venv | |||
| source .venv/bin/activate | |||
| pip install --require-hashes -r test-requirements.txt | |||
| sudo apt install lsof | |||
There was a problem hiding this comment.
lsof is available on Mac and under Linux, and therefore seemed like the best fit to perform a cross-platform test for exclusive lock access. It is, however, not installed in this particular CircleCI container by default.
| - marker_start: "### BEGIN securedrop-workstation ###" | ||
| - marker_end: "### END securedrop-workstation ###" | ||
| - content: | | ||
| 0 * * * * {{gui_user}} DISPLAY=:0 /opt/securedrop/launcher/sdw-notify.py |
There was a problem hiding this comment.
The DISPLAY=:0 environment varialbe is necessary to display a graphical warning from a cron job without a display.
| # warning threshold. | ||
| dom0-crontab-update-notify: | ||
| file.blockreplace: | ||
| - name: /etc/crontab |
There was a problem hiding this comment.
/cron.hourly will run as root, so modifying /etc/crontab appears to be the cleanest way to run as the gui_user, which is necessary in order to run with the same permissions as the preflight updater.
eloquence
force-pushed
the
uptime-notification-squashed
branch
from
3ee6bbd to
59fdef4
Compare
There was a problem hiding this comment.
Thanks @pierwill and @eloquence, this is great work. I've gone through the test plan and a visual review. I think that prior to merge, we should address the following points. Let me know what you think!
- The only option presented to a user in this notification is to acknowledge via the
OKbutton. In order to better guide the user into the next steps, it may be a good idea to allow the user to open the launcher/updater directly from this notification. If the resulting diff is small, I propose we introduce this change here. If it's a larger change, I think filing a follow-up issue is sufficient for the purposes of this PR. - Test coverage is not complete (100%) for
Notify.pyandUpdater.py. (there was a comment inline re: coverage, perhaps my reply will help resolve). We should ensure 100% coverage in those two files, as they have somewhat complex logic and will help reduce the likelihood of regressions in the future. Let me know if you would like help to write further tests to complete coverage. - The handling of the case where
sdw-last-updatedflag is not present is insufficiently defensive. Asking the user to update in the absence ofsdw-last-updatedflag may be more prudent here. We could open the updater at the end of runningmake allto ensure everything is updated (and the flag is dropped), or populate the flag on install. The approach where the flag is absent and won't prompt will fail open, should the updater never run. - Related to point 3 above, the case where the timestamp is invalid will also fail open:
2020-02-10 15:48:56,459 - sdw_notify.Notify:110(is_update_check_necessary) ERROR: Data in /home/m/.securedrop_launcher/sdw-last-updated not in the expected format. Expecting a timestamp in format '%Y-%m-%d %H:%M:%S'.
In other words, for 3 and 4, I think that the absence or the invalidity of a timestamp should trigger the notification/alert. This will make the logic fail closed, and the updater will repopulate a valid flag after running.
- You make a great point re: rpm permissions on updater scripts. While this should be mitigated by Enforce dom0 salt state as part of preflight updates #427, it would be safer to specify these in the rpm spec in case there's an edge-case where the config is not applied, and an update is needed (the updater will no longer work). Let's update this as part of this PR since we are touching/testing these parts of the code, if you don't mind (https://github.com/freedomofpress/securedrop-workstation/pull/445/files#r376673672)
Otherwise, reporting a successful test plan 🎉
Functional testing
Thank you for the comprehensive test plan. Functional test plan worked as expected.
Installation:
- Check out this PR in your development VM
-
make clone && make prep-dom0indom0
Regression testing:
- Test that the preflight updater is still working as expected by clicking the "SecureDrop" desktop icon
- Test that the preflight updater still creates logs in
~/.securedrop_launcher/launcher.log
Testing new preflight updater functionality:
- Test that you cannot run another preflight updater while it is already running
Testing new notification functionality:
Before running any commands, I recommend running watch tail -n 25 ~/.securedrop_launcher/logs/sdw-notify.log in a separate terminal. All notable events below should produce log entries.
- Test that running
/opt/securedrop/launcher/sdw-notify.pyhas the expected results for your current workstation state per the behavior design doc - Test that setting the timestamp written to
~/.securedrop_launcher/sdw-last-updatedto a date well in the past and running/opt/securedrop/launcher/sdw-notify.pycauses the notification to appear, if the system has been up for more than 30 minutes (uptime grace period).- You can manually edit
UPTIME_GRACE_PERIODin/opt/securedrop/launcher/sdw_notify/Notify.pyto force a run.
- You can manually edit
- Test that setting the timestamp written to
~/.securedrop_launcher/sdw-last-updatedto today and running/opt/securedrop/launcher/sdw-notify.pycauses the notification to not appear.- Ensure that the uptime grace period has elapsed or is set to 0.
- Test that removing the timestamp
~/.securedrop_launcher/sdw-last-updatedand running/opt/securedrop/launcher/sdw-notify.pywith uptime lower than 5 days causes the notification to not appear.
❗ The issue i see with this approach is that it fails open: if the updater never runs, these notifications will never display, if the uptime always remains < 5 days. - Test that removing the timestamp
~/.securedrop_launcher/sdw-last-updatedand running/opt/securedrop/launcher/sdw-notify.pywith uptime higher than 5 days causes the notification to appear.- You can manually edit
WARNING_THRESHOLDin/opt/securedrop/launcher/sdw_notify/Notify.pyto force a run.
- You can manually edit
- Test that all of the above produces log entries.
- Test that the cron job runs as expected (easiest by modifying the
0to*in/etc/crontabto change it from "every hour" to "every minute") - also let it run for a bit and inpected log
| @@ -0,0 +1,35 @@ | |||
| """ | |||
There was a problem hiding this comment.
This is great, thanks for doing this. There uptime, lockfile, but I think this definitely sufficient for merge in this iteration. If we were to move further (non-logging) logic here, we should have test coverage here
There was a problem hiding this comment.
I'll take a stab at refactoring the lockfile logic into the util library to further reduce duplication and increase testability.
| show_update_warning() | ||
|
|
||
|
|
||
| def show_update_warning(): |
There was a problem hiding this comment.
Given how straightforward the QT logic is here, I think it's fine to leave as is, but if ever we introduce further complexity/stying here, I would recommend we decouple the main from the QT code, and simply instanciate the QT app object in the main, and handle all other QT tasks in a separate file/class
|
|
||
| # The file and format that contains the timestamp of the last successful update | ||
| LAST_UPDATED_FILE = os.path.join(BASE_DIRECTORY, "sdw-last-updated") | ||
| LAST_UPDATED_FORMAT = "%Y-%m-%d %H:%M:%S" |
There was a problem hiding this comment.
nit: using the variable from Updater.py or storing in Utils.py could help reduce duplication here
launcher/tests/test_notify.py
Outdated
| p = Pool(processes=1) | ||
| lock_result = p.apply(notify.can_obtain_updater_lock) | ||
| p.close() | ||
| assert lock_result is False |
There was a problem hiding this comment.
I think here it would be fine to mock open or lockf and have IOException (not tested, but as example, using the following decorators :
@mock.patch("builtins.open", side_effect=IOError())
and
@mock.patch("fcntl.lockf", side_effect=IOError())
depending on which part of the lock logic you want to test
| @@ -12,7 +12,7 @@ | |||
| path_to_script = os.path.join( | |||
| os.path.dirname(os.path.abspath(__file__)), relpath_updater_script | |||
| ) | |||
| updater = imp.load_source("Updater", path_to_script) | |||
| updater = SourceFileLoader("Updater", path_to_script).load_module() | |||
There was a problem hiding this comment.
thanks for squashing this deprecation warning 👍
|
Thanks for the detailed review! A couple of quick responses:
That makes sense, let's just show the warning immediately in those two cases without a grace period, because they should not occur on a normal system, and we don't want to delay letting the user know that something is wrong. I really like your suggestion of populating
I completely agree; I deliberately kept the notification super simple for this first iteration, but I think we should tweak it a bit:
The additional logic needed for 2) makes me think this is a good change for a follow-up PR (plus I'm not versed in PyQt yet, so it may be faster for someone else to take this on). |
Thinking this through a bit more, there are a couple of issues with that approach:
This is IMO beyond the scope of this PR, but what do y'all think about storing the installation date in a file like |
eloquence
force-pushed
the
uptime-notification-squashed
branch
4 times, most recently
from
894223b to
2893f56
Compare
eloquence
force-pushed
the
uptime-notification-squashed
branch
from
2893f56 to
8c500c9
Compare
|
Re: mocking the lock (lock-mocking?):
That's a great point, I think it's reasonable to treat |
| # To ensure forward-compatibility of RPMs regardless of updates to the system | ||
| # Python, we disable the creation of bytecode at build time via the build | ||
| # root policy. | ||
| %undefine py_auto_byte_compile |
There was a problem hiding this comment.
This is the change discussed in #449 (comment) and subsequent comments.
launcher/tests/test_notify.py
Outdated
| """ | ||
| with TemporaryDirectory() as tmpdir, \ | ||
| mock.patch("Notify.LOCK_FILE_NOTIFIER", | ||
| os.path.join(tmpdir, "sdw-notify.lock")): |
There was a problem hiding this comment.
FYI: I'm using this pattern to patch the global variable, to avoid unintended side effects either across tests or in a single test; please let me know if there's a preferable pattern for the same result.
|
Recap of recent changes:
I've not fully re-tested yet, but you're welcome to take a spin through it again @emkll; I'll officially move it to "Ready" again once I've done another test through myself. Thanks for all the comments so far! |
There was a problem hiding this comment.
Thanks @eloquence for the changes, they look good to me. I have reviewed your changes locally, went though the test plan and did a visual review, all works as expected, and addresses comments 2,3,4,5. Happy to open a ticket for 1), as it would be nice to address as part of the beta milestone (pending freedomofpress/securedrop-ux#99).
Prior to merge, could you please run the black formatter on launcher/ subdirectory
Done. Will re-test now, as well, and await Conor's visual review. |
eloquence
force-pushed
the
uptime-notification-squashed
branch
from
7daf102 to
3a42dd3
Compare
|
(Rebased to latest upstream |
|
Changed text of warning slightly, to "This computer has not been checked for security updates recently." This is so it's accurate under all circumstances when the warning is shown. (As discussed above, additional logic for launching the updater or showing more specific messages can be handled in follow-up changes.) |
This script checks whether updates have been applied recently enough using the preflight updater (AKA launcher) that is part of the SecureDrop Workstation. "Recently enough" is defined as follows: - If the updater has never successfully run, uptime does not exceed a warning threshold. - If the updater has run successfully, it is not longer ago than the warning threshold. However, we allow for a grace period. In this commit, the warning threshold is set to 5 days, and the grace period to 30 minutes. The script runs as a cron job and displays a PyQt warning if warranted according to the above criteria. Lock files stored in /run/user are used to avoid showing the warning multiple times, or while the preflight updater is running. As part of this commit, code from sdw-launcher has been reorganized, to allow for shared use in a utility library by other system components like sdw-notify. This commit represents a collaboration between @pierwill and @eloquence.
- Show warning if we have no timestmap - Show warning if timestamp is in unexpected format
eloquence
force-pushed
the
uptime-notification-squashed
branch
from
245e083 to
453cbe8
Compare
There was a problem hiding this comment.
Performed visual review. Overall code is clean and well commented. Would like to shore up the RPM packaging strategy to treat the Python code as proper system-level modules, but this PR isn't the right time for that.
Noticed some formatting errors in the tests, where regular expressions are only partially validated, due to string concatenation quirks. Once those are cleaned up, fine for merge!
|
|
||
| relpath_notify = "../sdw_notify/Notify.py" | ||
| path_to_notify = os.path.join(os.path.dirname(os.path.abspath(__file__)), relpath_notify) | ||
| notify = SourceFileLoader("Notify", path_to_notify).load_module() |
There was a problem hiding this comment.
The path insertions aren't ideal. Since we have an RPM package now, we can install the Python modules at the system level and import them directly. Let's not do that now, especially with #450 still pending review. Not critical pre-pilot, but would make the updater/notifier code much more maintainable.
launcher/tests/test_notify.py
Outdated
| UPDATER_WARNING_REGEX = ( | ||
| r"^Last successful update \(.* hours ago\) is above warning threshold " | ||
| ) | ||
| r"\(.* hours\). Uptime grace period of .* hours has elapsed (uptime: .* hours)." |
There was a problem hiding this comment.
Looks like L30 & L31 should be swapped. As written, UPDATER_WARNING_REGEX is resolving to the first half of the pattern. The problem of strings-not-concatenating occurs throughout test_notify.py, will comment in-line.
There was a problem hiding this comment.
Yikes, great flag. black helpfully inserted the parentheses, which should have made it obvious to me that the concatenation was wrong. 10003bd should fix these concatenations throughout.
Sometimes Python makes me miss semicolons. ;-)
launcher/tests/test_notify.py
Outdated
| # Regex for info log if we've updated too long ago, but grace period still ticking | ||
| GRACE_PERIOD_REGEX = r"Last successful update \(.* hours ago\) is above " | ||
| r"warning threshold \(.* hours\). Uptime grace period of .* hours has not elapsed " | ||
| r"yet \(uptime: .* hours\)." |
There was a problem hiding this comment.
String parts aren't concatenating, try:
# Regex for info log if we've updated too long ago, but grace period still ticking
GRACE_PERIOD_REGEX = (
r"Last successful update \(.* hours ago\) is above "
r"warning threshold \(.* hours\). Uptime grace period of .* hours has not elapsed "
r"yet \(uptime: .* hours\)."
)
launcher/tests/test_notify.py
Outdated
| NO_WARNING_REGEX = ( | ||
| r"Last successful update \(.* hours ago\) is below the warning threshold " | ||
| ) | ||
| r"\(.* hours\)." |
There was a problem hiding this comment.
As above, strings are not concatenating; try:
# Regex for info log if we've updated recently enough
NO_WARNING_REGEX = (
r"Last successful update \(.* hours ago\) is below the warning threshold "
r"\(.* hours\)."
)
Add security notification script sdw-notify
This script checks whether updates have been applied recently enough using the preflight updater (AKA launcher) that is part of the SecureDrop Workstation. "Recently enough" is defined as follows:
In this PR, the warning threshold is set to 5 days, and the grace period to 30 minutes.
The script runs as a cron job and displays a PyQt warning if warranted according to the above criteria. Lock files stored in
/run/userare used to avoid showing the warning multiple times, or while the preflight updater is running.As part of this work, code from
sdw-launcherhas been reorganized, to allow for shared use in a utility library by other system components likesdw-notify.NOTE: Due to packaging changes, this PR bumps the version of
securedrop-workstation. The packaging changes address parts of #449 (the creation of*.pycand*.pyofiles) by disabling implicit Python bytecode compilation.Status
Ready for initial review. Draft until re-verification in Qubes and RPM updates.
Description of Changes
Fixes #236
Testing
Installation:
make clone && make prep-dom0indom0Regression testing:
~/.securedrop_launcher/launcher.logTesting new preflight updater functionality:
Testing new notification functionality:
Before running any commands, I recommend running
watch tail -n 25 ~/.securedrop_launcher/logs/sdw-notify.login a separate terminal. All notable events below should produce log entries./opt/securedrop/launcher/sdw-notify.pyhas the expected results for your current workstation state per the behavior design doc~/.securedrop_launcher/sdw-last-updatedto a date well in the past and running/opt/securedrop/launcher/sdw-notify.pycauses the notification to appear, if the system has been up for more than 30 minutes (uptime grace period).UPTIME_GRACE_PERIODin/opt/securedrop/launcher/sdw_notify/Notify.pyto force a run.~/.securedrop_launcher/sdw-last-updatedto today and running/opt/securedrop/launcher/sdw-notify.pycauses the notification to not appear.~/.securedrop_launcher/sdw-last-updatedcauses the notification to appear. (Updated per discussion below.)~/.securedrop_launcher/sdw-last-updatedwith a bad value causes the notification to appear. (Updated per discussion below.)0to*in/etc/crontabto change it from "every hour" to "every minute")Checklist
make flake8) passesmake test) pass in dom0 of a Qubes installAuthorship
This PR represents a collaboration between @pierwill and @eloquence, with a lot of helpful input from @emkll.