Requirements pinning for app code build

[emkll]

Status

Ready for review

Description of Changes

Towards #3270, #1617 : Pin hashes for securedrop-app-code python requirements. Until now, we were blocked by Trusty tooling (see #3477)

This should be a stopgap until we implement a more complete solution that will also offer .deb reproducibility, described in freedomofpress/securedrop-builder#34.

Testing

Test plan:

• Changes to the app code build logic make sense
• All tests pass when running make build-debs
• .deb build successful and application/infra tests pass (CI should pass)
• Local upgrade testing is successful
• Changing hashes for the source tarballs in securedrop-app-code-requirements.txt should make the build fail.
• Modify securedrop-app-code-requirements.txt file for a source tarball should result in build failure.

Since the build process is automated, proper verification requires adding a wait_for: timout=3600s at the end of install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/tasks/build_securedrop_app_code_deb.yml and using diffoscope to look at build wheels in the wheelhouse vs wheels in the deb package

• Inside the container, /tmp/w.out contains build information of the wheels (confirm that we actually built the wheels)
• Wheels in /tmp/securedrop-app-code_0.13.0~rc1+xenial_amd64/var/securedrop/wheelhouse/ are nearly identical to those in the deb package while using diffoscope, the difference is in the zip files and metadata within.

You can unzip the wheels and diff the folder contents, eg:

$diffoscope cryptography-2.6.1.dist-info/ ../../cryptography-2.6.1.dist-info/
 |#################################################################|  100%                             Time: 0:00:00 
--- cryptography-2.6.1.dist-info/
+++ ../../cryptography-2.6.1.dist-info/
├── stat {}
│ @@ -1,8 +1,8 @@
│  
│    Size: 4096      	Blocks: 8          IO Block: 4096   directory
│  Links: 2
│  Access: (0755/drwxr-xr-x)  Uid: ( 1000/       m)   Gid: ( 1000/       m)
│  
│ -Modify: 2019-05-15 18:59:21.382879799 +0000
│ +Modify: 2019-05-15 18:57:38.587575536 +0000
│  
[...]

and

$ diffoscope cryptography/ ../../cryptography/
 |#################################################################|  100%                             Time: 0:00:03 
--- cryptography/
+++ ../../cryptography/
├── stat {}
│ @@ -1,8 +1,8 @@
│  
│    Size: 4096      	Blocks: 8          IO Block: 4096   directory
│  Links: 4
│  Access: (0755/drwxr-xr-x)  Uid: ( 1000/       m)   Gid: ( 1000/       m)
│  
│ -Modify: 2019-05-15 18:59:21.438879419 +0000
│ +Modify: 2019-05-15 18:57:38.583575562 +0000
│  
│   Birth: -
│   --- cryptography/__about__.py
├── +++ ../../cryptography/__about__.py
├── stat {}
│ │ @@ -1,8 +1,8 @@
│ │  
│ │    Size: 816       	Blocks: 8          IO Block: 4096   regular file
│ │  Links: 1
│ │  Access: (0644/-rw-r--r--)  Uid: ( 1000/       m)   Gid: ( 1000/       m)
│ │  
│ │ -Modify: 2019-02-27 16:02:06.000000000 +0000
│ │ +Modify: 2019-02-28 04:27:52.000000000 +0000
│ │  
│ │   Birth: -
│   --- cryptography/__init__.py
├── +++ ../../cryptography/__init__.py
├── stat {}
│ │ @@ -1,8 +1,8 @@
│ │  
│ │    Size: 527       	Blocks: 8          IO Block: 4096   regular file
│ │  Links: 1
│ │  Access: (0644/-rw-r--r--)  Uid: ( 1000/       m)   Gid: ( 1000/       m)
│ │  
│ │ -Modify: 2019-02-27 16:02:06.000000000 +0000
│ │ +Modify: 2019-02-28 04:27:52.000000000 +0000
│ │  

Deployment

Mostly a dev/build environment change, but all changes to prod instances will be delivered via the securedrop-app-code package.

Checklist

If you made changes to the server application code:

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

[emkll]

This should be ready for re-review, I've updated the test plan and all tests pass locally.

[redshiftzero]

my testing thus far:

• Changes to the app code build logic make sense
• All tests pass when running make build-debs - yes modulo known issue test_deb_package_contains_expected_conffiles fails on macOS #4191
• .deb build successful and application/infra tests pass (CI should pass) - waiting on CI
• Local upgrade testing is successful - not doing, @conorsch kicking this off
• Changing hashes for the source tarballs in securedrop-app-code-requirements.txt should make the build fail:

    TASK [build-securedrop-app-code-deb-pkg : Ensure source hash sums matched at wheel build-time] ***
    fatal: [xenial-sd-app]: FAILED! => {"changed": false, "failed_when_result": true, "msg": "Source hash sum mismatch, build cannot continue."}

• Inside the container, /tmp/w.out contains build information of the wheels (confirm that we actually built the wheels)
• Wheels in /tmp/securedrop-app-code_0.13.0~rc1+xenial_amd64/var/securedrop/wheelhouse/ are nearly identical to those in the deb package while using diffoscope, the difference is in the zip files and metadata within.

[redshiftzero]

staging build failure due to too long with no output, gonna restart once..

[redshiftzero]

this time another timeout but later in the provisioning process:

    RUNNING HANDLER [common : Wait for server to come back.] ***********************
    ok: [mon-staging -> localhost]
    fatal: [app-staging -> localhost]: FAILED! => {"changed": false, "elapsed": 300, "msg": "Timeout when waiting for search string OpenSSH in 192.168.121.127:22"}

[conorsch]

• Local upgrade testing is successful

Performed interactive testing post-upgrade, including:

• submitting documents and messages
• replying to submissions
• viewing replies via source account

LGTM. We're blocked here by recurring CI failures, opened #4440 to track.

[emkll]

rebased on latest develop

[redshiftzero]

based on testing performed yesterday, approving for merge provided the staging CI job passes

[emkll]

@redshiftzero apologies, this will need another stamp: I had to force push another change to resolve lint failure: the develop-requirements were using bandit 1.6.0, i reverted to 1.4.0 (see #4424) .

[emkll]

Due to some issues with linting in ci [1,2], I've dropped the commits that would contain the develop-requirements hashes. Let's open a follow-up task to track this to unblock merge of the app code requirements hashes.

[1] : https://circleci.com/gh/freedomofpress/securedrop/27948
[2] : https://circleci.com/gh/freedomofpress/securedrop/27927

[redshiftzero]

re-approving after removing the dev requirements