(develop) securedrop-admin tailsconfig forces presence of tor_v3_keys.json for Journalist Workstations

[eloquence]

Description

Journalist Workstations should not hold a copy of tor_v3_keys.json, which contains sensitive SSH onion service client authentication keys. However, running securedrop-admin --force tailsconfig on current develop fails with an error complaining that tor_v3_keys.json is missing.

Steps to reproduce

1. On a fresh Tails USB w/ persistence set up, check out https://github.com/freedomofpress/securedrop/ and copy valid app-sourcev3-ths and app-journalist.auth_private files into ~/Persistent/securedrop/install_files/ansible-base (per instructions in https://docs.securedrop.org/en/stable/onboarding.html)
2. Run ./securedrop-admin setup
3. Run ./securedrop-admin --force tailsconfig

Expected behavior

Command completes without error

Actual behavior

Command fails with error:

Authentication files for v3 onion services were found, but the corresponding tor_v3_keys.json file is missing. To enable updates to an existing SecureDrop instance, please add this file under ~/Persistent/securedrop/install_files/ansible-base.

This only happens on the develop branch, not on the last signed release tag.

Analysis

My read is that this is fallout from #5915, which removed the v3_onion_services condition here:

securedrop/install_files/ansible-base/roles/validate/tasks/validate_tails_environment.yml

Lines 80 to 90 in 0e74ac2

	- name: Confirm that the Tor keys file is present
	assert:
	that:
	- v3_tor_key.stat.exists
	msg: >-
	Authentication files for v3 onion services were found, but the
	corresponding `tor_v3_keys.json` file is missing. To enable updates
	to an existing SecureDrop instance, please add this file under
	`~/Persistent/securedrop/install_files/ansible-base`.
	when:
	- v3_journalist_auth_file.stat.exists

v3_onion_services previously defaulted to False, ensuring that the check did not run on Journalist Workstations.