diff --git a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf index 0212ab4f7f..4fd947c3e0 100644 --- a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf +++ b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf @@ -4,6 +4,7 @@ ServerName {{ securedrop_app_apache_listening_address }} WSGIDaemonProcess journalist processes=2 threads=30 display-name=%{GROUP} python-path=/var/www/securedrop WSGIProcessGroup journalist WSGIScriptAlias / /var/www/journalist.wsgi +WSGIPassAuthorization On # Tell the browser not to cache HTML responses in order to minimize the chance # of the inadvertent release or retention of sensitive data. For more, see diff --git a/install_files/securedrop-app-code/DEBIAN/postinst b/install_files/securedrop-app-code/DEBIAN/postinst index 3fc413be0f..a36a72ed88 100755 --- a/install_files/securedrop-app-code/DEBIAN/postinst +++ b/install_files/securedrop-app-code/DEBIAN/postinst @@ -63,6 +63,19 @@ database_migration() { fi } +# Supports passing authorization headers for the SecureDrop API. +# Only affects the Journalist Interface. Required for unattended upgrade +# to v0.9.0. +function permit_wsgi_authorization() { + journalist_conf="/etc/apache2/sites-available/journalist.conf" + # First we check whether the line is present. + # Next we find a target line to anchor the insertion. + # Then we insert the line, along with the target line that was matched. + if ! grep -qP '^WSGIPassAuthorization' "$journalist_conf"; then + perl -pi -e 's/^(WSGIScriptAlias .*)/$1\nWSGIPassAuthorization On/' "$journalist_conf" + fi +} + case "$1" in configure) # Ensure SecureDrop's necessary directories are created @@ -99,6 +112,9 @@ case "$1" in aa-enforce /etc/apparmor.d/usr.sbin.tor aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # Munge Apache config while service is stopped. + permit_wsgi_authorization + # Restart apache so it loads with the apparmor profiles in enforce mode. service apache2 restart diff --git a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py index b83e4fea2d..345dc6b580 100644 --- a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py +++ b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py @@ -86,6 +86,7 @@ def test_apache_headers_journalist_interface(File, header): securedrop_test_vars.securedrop_code), 'WSGIProcessGroup journalist', 'WSGIScriptAlias / /var/www/journalist.wsgi', + 'WSGIPassAuthorization On', 'Header set Cache-Control "no-store"', "Alias /static {}/static".format(securedrop_test_vars.securedrop_code), """