From 2aecf1c2aa6679ddd8ee3757a42e5694f437afb3 Mon Sep 17 00:00:00 2001 From: Kushal Das Date: Tue, 4 Sep 2018 16:27:42 +0530 Subject: [PATCH 1/2] Fixes #3772, allows Authorization header to pass If deploying to Apache using mod_wsgi, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level. See http://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration for more details. --- .../roles/app/templates/sites-available/journalist.conf | 1 + .../staging/app/apache/test_apache_journalist_interface.py | 1 + 2 files changed, 2 insertions(+) diff --git a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf index 0212ab4f7f..4fd947c3e0 100644 --- a/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf +++ b/install_files/ansible-base/roles/app/templates/sites-available/journalist.conf @@ -4,6 +4,7 @@ ServerName {{ securedrop_app_apache_listening_address }} WSGIDaemonProcess journalist processes=2 threads=30 display-name=%{GROUP} python-path=/var/www/securedrop WSGIProcessGroup journalist WSGIScriptAlias / /var/www/journalist.wsgi +WSGIPassAuthorization On # Tell the browser not to cache HTML responses in order to minimize the chance # of the inadvertent release or retention of sensitive data. For more, see diff --git a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py index b83e4fea2d..345dc6b580 100644 --- a/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py +++ b/molecule/testinfra/staging/app/apache/test_apache_journalist_interface.py @@ -86,6 +86,7 @@ def test_apache_headers_journalist_interface(File, header): securedrop_test_vars.securedrop_code), 'WSGIProcessGroup journalist', 'WSGIScriptAlias / /var/www/journalist.wsgi', + 'WSGIPassAuthorization On', 'Header set Cache-Control "no-store"', "Alias /static {}/static".format(securedrop_test_vars.securedrop_code), """ From f3e81ca63c478064b3b1efc9dc7031e19ae38be2 Mon Sep 17 00:00:00 2001 From: Conor Schaefer Date: Tue, 4 Sep 2018 10:36:35 -0700 Subject: [PATCH 2/2] Adds WSGIPassAuthorization header via postinst In order to ensure config updates during scheduled nightly upgrades for 0.9.0, we must patch the Apache config in-place. The approach uses an in-place substitution on the journalist vhost config file, checking first for the presence of the line, and skipping the substitution is it's already found. --- .../securedrop-app-code/DEBIAN/postinst | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/install_files/securedrop-app-code/DEBIAN/postinst b/install_files/securedrop-app-code/DEBIAN/postinst index 3fc413be0f..a36a72ed88 100755 --- a/install_files/securedrop-app-code/DEBIAN/postinst +++ b/install_files/securedrop-app-code/DEBIAN/postinst @@ -63,6 +63,19 @@ database_migration() { fi } +# Supports passing authorization headers for the SecureDrop API. +# Only affects the Journalist Interface. Required for unattended upgrade +# to v0.9.0. +function permit_wsgi_authorization() { + journalist_conf="/etc/apache2/sites-available/journalist.conf" + # First we check whether the line is present. + # Next we find a target line to anchor the insertion. + # Then we insert the line, along with the target line that was matched. + if ! grep -qP '^WSGIPassAuthorization' "$journalist_conf"; then + perl -pi -e 's/^(WSGIScriptAlias .*)/$1\nWSGIPassAuthorization On/' "$journalist_conf" + fi +} + case "$1" in configure) # Ensure SecureDrop's necessary directories are created @@ -99,6 +112,9 @@ case "$1" in aa-enforce /etc/apparmor.d/usr.sbin.tor aa-enforce /etc/apparmor.d/usr.sbin.apache2 + # Munge Apache config while service is stopped. + permit_wsgi_authorization + # Restart apache so it loads with the apparmor profiles in enforce mode. service apache2 restart