From b7b748a601ca4f5c1848b89c9b0bd92f8a26eacf Mon Sep 17 00:00:00 2001
From: Conor Schaefer <conor@freedom.press>
Date: Tue, 14 May 2019 16:34:38 -0700
Subject: [PATCH] Use discrete filename for rehashed app code reqs

While debugging the wheel reuse in the staging environment, it proved
problematic to have the version-controlled app code requirements file
clobbered inside the securedrop-app-code deb package. Let's instead
dynamically generated a separate file, and reference that separate file
in the postinst.

It's somewhat problematic that this config is not DRY; a rename of the
target file would require updates in multiple locations. Hopefully the
trade-off on preserving the original app code file is worthwhile.
---
 .../build-securedrop-app-code-deb-pkg/defaults/main.yml   | 2 ++
 .../files/hash_built_wheels.py                            | 4 +++-
 .../tasks/build_securedrop_app_code_deb.yml               | 8 ++++----
 install_files/securedrop-app-code/debian/postinst         | 2 +-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
index 02f24f71c6c..8ea3c879603 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/defaults/main.yml
@@ -8,6 +8,8 @@ securedrop_code_filtered: "{{ securedrop_app_code_deb_dir }}/var/www/securedrop"
 
 securedrop_pip_requirements: "{{ securedrop_code_filtered }}/requirements/securedrop-app-code-requirements.txt"
 
+securedrop_pip_requirements_rehashed: "{{ securedrop_code_filtered }}/requirements/securedrop-app-code-requirements-rehashed.txt"
+
 securedrop_wheelhouse: "{{ securedrop_app_code_deb_dir }}/var/securedrop/wheelhouse"
 
 securedrop_pip_freeze: "{{ securedrop_code_filtered }}/requirements/securedrop-app-code-requirements.lock"
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/hash_built_wheels.py b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/hash_built_wheels.py
index 3fcb058ab28..bc5f989d612 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/hash_built_wheels.py
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/hash_built_wheels.py
@@ -7,6 +7,7 @@
 REQUIREMENTS_FILE = os.environ['SD_REQUIREMENTS']
 WHEELHOUSE = os.environ['SD_WHEELHOUSE']
 LOCK_FILE = os.environ['SD_PIP_LOCK']
+REQUIREMENTS_FILE_REHASHED = os.environ['SD_REQUIREMENTS_REHASHED']
 
 
 def main():
@@ -24,7 +25,8 @@ def main():
         package_string = "{}-{}".format(package.replace("-", "_"), version)
         new_reqs += "{}=={}".format(package, version)
         new_reqs += " --hash=sha256:{}\n".format(get_hash_for_package(package_string))
-    with open(REQUIREMENTS_FILE, "w") as reqs_file:
+
+    with open(REQUIREMENTS_FILE_REHASHED, "w") as reqs_file:
         reqs_file.write(new_reqs)
 
 
diff --git a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml
index 6b7d595c4ed..b29d0602153 100644
--- a/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml
+++ b/install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml
@@ -44,16 +44,16 @@
 
 - name: Copy script
   copy:
-    src: "hash_built_wheels.py"
-    dest: "/tmp/"
+    src: hash_built_wheels.py
+    dest: /tmp/hash_built_wheels.py
 
 - name: Generate hashes via script and generate new securedrop-app-code-requirements.txt
-  shell:
-    "python3 /tmp/hash_built_wheels.py"
+  command: python3 /tmp/hash_built_wheels.py
   environment:
     SD_REQUIREMENTS: "{{ securedrop_pip_requirements }}"
     SD_WHEELHOUSE: "{{ securedrop_wheelhouse }}"
     SD_PIP_LOCK: "{{ securedrop_pip_freeze }}"
+    SD_REQUIREMENTS_REHASHED: "{{ securedrop_pip_requirements_rehashed }}"
 
 - include: translations.yml
 
diff --git a/install_files/securedrop-app-code/debian/postinst b/install_files/securedrop-app-code/debian/postinst
index cc106f891e4..2f726194bf4 100644
--- a/install_files/securedrop-app-code/debian/postinst
+++ b/install_files/securedrop-app-code/debian/postinst
@@ -125,7 +125,7 @@ case "$1" in
     chown -R www-data:www-data /var/lib/securedrop /var/www/securedrop
 
     pip install --no-index --find-links=/var/securedrop/wheelhouse --upgrade \
-      --require-hashes -r /var/www/securedrop/requirements/securedrop-app-code-requirements.txt
+      --require-hashes -r /var/www/securedrop/requirements/securedrop-app-code-requirements-rehashed.txt
 
     chown -R www-data:www-data /var/www/securedrop
     chown www-data:www-data /var/www/journalist.wsgi