Use discrete filename for rehashed app code reqs

While debugging the wheel reuse in the staging environment, it proved problematic to have the version-controlled app code requirements file clobbered inside the securedrop-app-code deb package. Let's instead dynamically generated a separate file, and reference that separate file in the postinst. It's somewhat problematic that this config is not DRY; a rename of the target file would require updates in multiple locations. Hopefully the trade-off on preserving the original app code file is worthwhile.
freedomofpress · May 15, 2019 · b7b748a · b7b748a
1 parent 33b5a27
commit b7b748a
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 6 deletions.
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
@@ -8,6 +8,8 @@ securedrop_code_filtered: "{{ securedrop_app_code_deb_dir }}/var/www/securedrop"
 
 securedrop_pip_requirements: "{{ securedrop_code_filtered }}/requirements/securedrop-app-code-requirements.txt"
 
+securedrop_pip_requirements_rehashed: "{{ securedrop_code_filtered }}/requirements/securedrop-app-code-requirements-rehashed.txt"
+
 securedrop_wheelhouse: "{{ securedrop_app_code_deb_dir }}/var/securedrop/wheelhouse"
 
 securedrop_pip_freeze: "{{ securedrop_code_filtered }}/requirements/securedrop-app-code-requirements.lock"

diff --git a/...all_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/hash_built_wheels.py b/...all_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/hash_built_wheels.py
@@ -7,6 +7,7 @@
 REQUIREMENTS_FILE = os.environ['SD_REQUIREMENTS']
 WHEELHOUSE = os.environ['SD_WHEELHOUSE']
 LOCK_FILE = os.environ['SD_PIP_LOCK']
+REQUIREMENTS_FILE_REHASHED = os.environ['SD_REQUIREMENTS_REHASHED']
 
 
 def main():
@@ -24,7 +25,8 @@ def main():
         package_string = "{}-{}".format(package.replace("-", "_"), version)
         new_reqs += "{}=={}".format(package, version)
         new_reqs += " --hash=sha256:{}\n".format(get_hash_for_package(package_string))
-    with open(REQUIREMENTS_FILE, "w") as reqs_file:
+
+    with open(REQUIREMENTS_FILE_REHASHED, "w") as reqs_file:
         reqs_file.write(new_reqs)
 
 

diff --git a/...ible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml b/...ible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml
@@ -44,16 +44,16 @@
 
 - name: Copy script
   copy:
-    src: "hash_built_wheels.py"
-    dest: "/tmp/"
+    src: hash_built_wheels.py
+    dest: /tmp/hash_built_wheels.py
 
 - name: Generate hashes via script and generate new securedrop-app-code-requirements.txt
-  shell:
-    "python3 /tmp/hash_built_wheels.py"
+  command: python3 /tmp/hash_built_wheels.py
   environment:
     SD_REQUIREMENTS: "{{ securedrop_pip_requirements }}"
     SD_WHEELHOUSE: "{{ securedrop_wheelhouse }}"
     SD_PIP_LOCK: "{{ securedrop_pip_freeze }}"
+    SD_REQUIREMENTS_REHASHED: "{{ securedrop_pip_requirements_rehashed }}"
 
 - include: translations.yml
 

diff --git a/install_files/securedrop-app-code/debian/postinst b/install_files/securedrop-app-code/debian/postinst
@@ -125,7 +125,7 @@ case "$1" in
     chown -R www-data:www-data /var/lib/securedrop /var/www/securedrop
 
     pip install --no-index --find-links=/var/securedrop/wheelhouse --upgrade \
-      --require-hashes -r /var/www/securedrop/requirements/securedrop-app-code-requirements.txt
+      --require-hashes -r /var/www/securedrop/requirements/securedrop-app-code-requirements-rehashed.txt
 
     chown -R www-data:www-data /var/www/securedrop
     chown www-data:www-data /var/www/journalist.wsgi