Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable v2 onion addresses on restore on Focal #5677

Merged
merged 3 commits into from
Feb 24, 2021
Merged

Disable v2 onion addresses on restore on Focal #5677

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
41fdb01
Fixes #5676 disable v2 onion addresses on restore on Focal
kushaldas Dec 17, 2020
e90baac
updated restore playbook to support v2+v3 -> v3-only restores
zenmonkeykstop Feb 23, 2021
8835810
lint: remove extra blank line
emkll Feb 18, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions install_files/ansible-base/roles/restore/files/compare_torrc.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ def strset(s):
print("The Tor configuration in the backup matches the server.")
sys.exit(0)

if (3 in server_versions) and (3 in backup_versions):
print("V3 services detected in backup and server - proceeding with v3-only restore")
sys.exit(0)

print(
"The Tor configuration on the app server offers version {} services.".format(
strset(server_versions)
Expand Down
89 changes: 89 additions & 0 deletions install_files/ansible-base/roles/restore/files/disable_v2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
#!/usr/bin/env python3
# To execute on prod:
# python3 disable_v2.py /etc/tor/torrc /etc/tor/torrc
# To execute for testing locally:
# python3 disable_v2.py /etc/tor/torrc /tmp/dumytorrc
import sys


def filter_v2(filename):
# Read the file
with open(filename) as f:
data = f.readlines()
# We will store the filtered lines to result
result = []

i = 0
while i < len(data):
line = data[i]
if line == "HiddenServiceDir /var/lib/tor/services/source\n":
i += 1
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServiceVersion 2\n":
i += 1
line = data[i]
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServicePort 80 127.0.0.1:80\n":
i += 1
continue
# Now check for journalist
if line == "HiddenServiceDir /var/lib/tor/services/journalist\n":
i += 1
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServiceVersion 2\n":
i += 1
line = data[i]
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServicePort 80 127.0.0.1:8080\n":
i += 1
line = data[i]
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServiceAuthorizeClient stealth journalist\n":
i += 1
continue
# Now the v2 ssh access
if line == "HiddenServiceDir /var/lib/tor/services/ssh\n":
i += 1
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServiceVersion 2\n":
i += 1
line = data[i]
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServicePort 22 127.0.0.1:22\n":
i += 1
line = data[i]
while data[i].strip() == "":
i += 1
line = data[i]
if line == "HiddenServiceAuthorizeClient stealth admin\n":
i += 1
continue

result.append(line)
i += 1

# Now return the result
return result


if __name__ == "__main__":
filename = sys.argv[1]
outputfilename = sys.argv[2]
result = filter_v2(filename)
with open(outputfilename, "w") as fobj:
for line in result:
fobj.write(line)
43 changes: 42 additions & 1 deletion install_files/ansible-base/roles/restore/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
connection: local
become: no
command: "python {{ role_path }}/files/compare_torrc.py {{ torrc_check_dir.path }}"
register: compare_result

- name: Remove temporary directory for Tor configuration check
connection: local
Expand All @@ -52,7 +53,17 @@
dest: /
remote_src: yes
src: "/tmp/{{ restore_file}}"
when: restore_skip_tor is not defined
when: (restore_skip_tor is not defined) and
("V3 services detected" not in compare_result.stdout)

- name: Extract backup, using v3 services only
unarchive:
dest: /
remote_src: yes
src: "/tmp/{{ restore_file}}"
exclude: "var/lib/tor/services/source,var/lib/tor/services/journalist,var/lib/tor/services/ssh"
when: (restore_skip_tor is not defined) and
("V3 services detected" in compare_result.stdout)

- name: Extract backup, skipping tor service configuration
unarchive:
Expand All @@ -73,6 +84,36 @@
name: apache2
state: reloaded

- name: Copy disable_v2.py script for Focal
copy:
src: "{{ role_path }}/files/disable_v2.py"
dest: /opt/disable_v2.py
when: (ansible_distribution_release == 'focal') or
("V3 services detected" in compare_result.stdout)

- name: Execute disable_v2 script on Focal
command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc
when: (ansible_distribution_release == 'focal') or
("V3 services detected" in compare_result.stdout)

- name: Remove v2 tor source directory
file:
state: absent
path: /var/lib/tor/services/source
when: ansible_distribution_release == 'focal'

- name: Remove v2 tor journalist directory
file:
state: absent
path: /var/lib/tor/services/journalist
when: ansible_distribution_release == 'focal'

- name: Remove disable_v2.py script on Focal
file:
state: absent
path: /opt/disable_v2.py
when: ansible_distribution_release == 'focal'

- name: Reload Tor service
service:
name: tor
Expand Down