freedomofpress · conorsch · Sep 5, 2018 · Sep 4, 2018 · Sep 4, 2018
@@ -4,6 +4,7 @@ ServerName {{ securedrop_app_apache_listening_address }}
 WSGIDaemonProcess journalist processes=2 threads=30 display-name=%{GROUP} python-path=/var/www/securedrop
 WSGIProcessGroup journalist
 WSGIScriptAlias / /var/www/journalist.wsgi
+WSGIPassAuthorization On
 
 # Tell the browser not to cache HTML responses in order to minimize the chance
 # of the inadvertent release or retention of sensitive data. For more, see

@@ -63,6 +63,19 @@ database_migration() {
     fi
 }
 
+# Supports passing authorization headers for the SecureDrop API.
+# Only affects the Journalist Interface. Required for unattended upgrade
+# to v0.9.0.
+function permit_wsgi_authorization() {
+    journalist_conf="/etc/apache2/sites-available/journalist.conf"
+    # First we check whether the line is present.
+    # Next we find a target line to anchor the insertion.
+    # Then we insert the line, along with the target line that was matched.
+    if ! grep -qP '^WSGIPassAuthorization' "$journalist_conf"; then
+        perl -pi -e 's/^(WSGIScriptAlias .*)/$1\nWSGIPassAuthorization On/' "$journalist_conf"
+    fi
+}
+
 case "$1" in
     configure)
     # Ensure SecureDrop's necessary directories are created
@@ -99,6 +112,9 @@ case "$1" in
     aa-enforce /etc/apparmor.d/usr.sbin.tor
     aa-enforce /etc/apparmor.d/usr.sbin.apache2
 
+    # Munge Apache config while service is stopped.
+    permit_wsgi_authorization
+
     # Restart apache so it loads with the apparmor profiles in enforce mode.
     service apache2 restart
 

@@ -86,6 +86,7 @@ def test_apache_headers_journalist_interface(File, header):
       securedrop_test_vars.securedrop_code),
   'WSGIProcessGroup journalist',
   'WSGIScriptAlias / /var/www/journalist.wsgi',
+  'WSGIPassAuthorization On',
   'Header set Cache-Control "no-store"',
   "Alias /static {}/static".format(securedrop_test_vars.securedrop_code),
   """