freedomofpress · conorsch · Feb 10, 2021 · Jan 11, 2021 · Feb 9, 2021 · Feb 10, 2021
@@ -6,3 +6,7 @@
 # as necessary.
 - name: reboot
   include: "{{ role_path }}/../../tasks/reboot.yml"
+
+- name: update apt cache
+  apt:
+    update_cache: yes
@@ -4,5 +4,10 @@
     dest: /etc/apt/sources.list
     mode: "0644"
     owner: root
+  notify: update apt cache
   tags:
     - apt
+
+# Ensure apt cache is updated before proceeding, otherwise
+# packages may fail to install.
+- meta: flush_handlers
@@ -49,9 +49,11 @@ scenario:
     - converge
 verifier:
   name: testinfra
-  lint:
+  lint: |
     flake8
   directory: ../testinfra
   options:
     n: auto
     v: 2
+  env:
+    SECUREDROP_TESTINFRA_TARGET_HOST: qubes-staging
@@ -7,21 +7,6 @@ monitor_ip: "{{ hostvars['mon-staging']['ansible_default_ipv4'].address }}"
 # Use hardcoded username from the manual VM provisioning step.
 ssh_users: sdadmin
 
-# Override the default logic to determine remote host connection info.
-# Since we're using the "delegated" driver in Molecule, there's no inventory
-# file in play for the connection, only the "instance config" file.
-# Molecule will try to connect to the hostname, e.g. "app-staging".
-# Let's look up the IP address already written to the instance config file,
-# and wait for that address when the VMs are rebooting.
-remote_host_ref: >-
-  {{ lookup('file', lookup('env', 'MOLECULE_INSTANCE_CONFIG'))
-     | from_yaml
-     | selectattr('instance', 'eq', ansible_host)
-     | map(attribute='address')
-     | first
-     | default (ansible_host)
-  }}
-
 securedrop_target_distribution: focal
 
 # Inform the Ansible logic we're targeting Qubes staging VMs,

@@ -26,8 +26,8 @@ platforms:
 
 provisioner:
   name: ansible
-  lint:
-    name: ansible-lint
+  lint: |
+    ansible-lint
   config_options:
     defaults:
       callback_whitelist: "profile_tasks, timer"
@@ -49,9 +49,11 @@ scenario:
     - converge
 verifier:
   name: testinfra
-  lint:
-    name: flake8
+  lint: |
+    flake8
   directory: ../testinfra
   options:
     n: auto
     v: 2
+  env:
+    SECUREDROP_TESTINFRA_TARGET_HOST: qubes-staging
@@ -7,21 +7,6 @@ monitor_ip: "{{ hostvars['mon-staging']['ansible_default_ipv4'].address }}"
 # Use hardcoded username from the manual VM provisioning step.
 ssh_users: sdadmin
 
-# Override the default logic to determine remote host connection info.
-# Since we're using the "delegated" driver in Molecule, there's no inventory
-# file in play for the connection, only the "instance config" file.
-# Molecule will try to connect to the hostname, e.g. "app-staging".
-# Let's look up the IP address already written to the instance config file,
-# and wait for that address when the VMs are rebooting.
-remote_host_ref: >-
-  {{ lookup('file', lookup('env', 'MOLECULE_INSTANCE_CONFIG'))
-     | from_yaml
-     | selectattr('instance', 'eq', ansible_host)
-     | map(attribute='address')
-     | first
-     | default (ansible_host)
-  }}
-
 securedrop_target_distribution: xenial
 
 # Inform the Ansible logic we're targeting Qubes staging VMs,

@@ -0,0 +1,44 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT DROP
+:LOGNDROP -
+-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT
+-A INPUT -i lo -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to source int" -j ACCEPT
+-A INPUT -i lo -p tcp -m tcp --dport 8080 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor connection from local loopback to connect to journalist int" -j ACCEPT
+-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -i lo -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
+{% for address in dns_server -%}
+-A INPUT -s {{ address }}/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+-A INPUT -s {{ address }}/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+{% endfor -%}
+-A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
+-A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
+-A INPUT -s {{ mon_ip }}/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
+-A INPUT -s {{ mon_ip }}/32 -p tcp -m tcp --dport 22 -m comment --comment "Block explicitly SSH from the adjacent SD component" -j DROP
+-A INPUT -s {{ ssh_ip }}/32 -i {{ default_interface }} -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit incoming ssh traffic" -j ACCEPT
+-A INPUT -s {{ ssh_ip }}/32 -i {{ default_interface }} -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
+-A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP
+-A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP
+-A OUTPUT -p tcp -m owner --uid-owner {{ tor_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor outbound" -j ACCEPT
+-A OUTPUT -m owner --uid-owner {{ tor_user_id }} -m comment --comment "Drop all other traffic for tor" -j LOGNDROP
+-A OUTPUT -o lo -p tcp -m tcp --sport 80 -m owner --uid-owner {{ securedrop_user_id }} -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
+-A OUTPUT -o lo -p tcp -m tcp --sport 8080 -m owner --uid-owner {{ securedrop_user_id }} -m state --state RELATED,ESTABLISHED -m comment --comment "Restrict the apache user outbound connections" -j ACCEPT
+-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -o lo -p tcp -m owner --uid-owner {{ securedrop_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "for redis worker all application user local loopback user" -j ACCEPT
+-A OUTPUT -m owner --uid-owner {{ securedrop_user_id }} -m comment --comment "Drop all other traffic by the securedrop user" -j LOGNDROP
+-A OUTPUT -m owner --gid-owner {{ ssh_group_gid }} -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP
+{% for address in dns_server -%}
+-A OUTPUT -d {{ address }}/32 -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+-A OUTPUT -d {{ address }}/32 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+{% endfor -%}
+-A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
+-A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
+-A OUTPUT -d {{ mon_ip }}/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "OSSEC server agent" -j ACCEPT
+-A OUTPUT -o eth0 -p tcp -m owner --uid-owner 0 -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
+-A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP
+-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid
+-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
+-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
+-A LOGNDROP -j DROP
+COMMIT
@@ -14,6 +14,8 @@
 @pytest.mark.skip_in_prod
 def test_app_iptables_rules(host):
 
+    local = host.get_host("local://")
+
     # Build a dict of variables to pass to jinja for iptables comparison
     kwargs = dict(
         mon_ip=os.environ.get('MON_IP', securedrop_test_vars.mon_ip),
@@ -24,9 +26,13 @@ def test_app_iptables_rules(host):
         ssh_group_gid=host.check_output("getent group ssh | cut -d: -f3"),
         dns_server=securedrop_test_vars.dns_server)
 
+    # Required for testing under Qubes.
+    if local.interface("eth0").exists:
+        kwargs["ssh_ip"] = local.interface("eth0").addresses[0]
+
     # Build iptables scrape cmd, purge comments + counters
     iptables = r"iptables-save | sed 's/ \[[0-9]*\:[0-9]*\]//g' | egrep -v '^#'"
-    environment = os.environ.get("CI_SD_ENV", "staging")
+    environment = os.environ.get("SECUREDROP_TESTINFRA_TARGET_HOST", "staging")
     iptables_file = "{}/iptables-app-{}.j2".format(
                           os.path.dirname(os.path.abspath(__file__)),
                           environment)

@@ -59,12 +59,7 @@ def test_apparmor_tor_exact_capabilities(host):
     assert str(len(tor_capabilities)) == c
 
 
-@pytest.mark.parametrize('profile', [
-    'ntpd',
-    'apache2',
-    'tcpdump',
-    'tor',
-])
+@pytest.mark.parametrize('profile', sdvars.apparmor_enforce)
 def test_apparmor_ensure_not_disabled(host, profile):
     """
     Explicitly check that enforced profiles are NOT in /etc/apparmor.d/disable
@@ -106,11 +101,10 @@ def test_apparmor_total_profiles(host):
     """ Ensure number of total profiles is sum of enforced and
         complaining profiles """
     with host.sudo():
-        total_expected = str(len(sdvars.apparmor_enforce)
-                             + len(sdvars.apparmor_complain))
+        total_expected = len(sdvars.apparmor_enforce) + len(sdvars.apparmor_complain)
         # Xenial about ~20 profiles, so let's expect
         # *at least* the sum.
-        assert host.check_output("aa-status --profiled") >= total_expected
+        assert int(host.check_output("aa-status --profiled")) >= total_expected
 
 
 def test_aastatus_unconfined(host):

@@ -96,7 +96,5 @@ def test_sudoers_tmux_env_deprecated(host):
     old setting isn't still active.
     """
 
-    admin_user = "vagrant"
-
-    f = host.file("/home/{}/.bashrc".format(admin_user))
+    f = host.file("/home/{}/.bashrc".format(sdvars.admin_user))
     assert not f.contains(r"^. \/etc\/bashrc\.securedrop_additions$")
@@ -0,0 +1,47 @@
+*filter
+:INPUT DROP
+:FORWARD DROP
+:OUTPUT DROP
+:LOGNDROP -
+-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -m comment --comment "Allow traffic back for tor" -j ACCEPT
+{% for address in dns_server -%}
+-A INPUT -s {{ address }}/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+-A INPUT -s {{ address }}/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+{% endfor -%}
+-A INPUT -p udp -m udp --sport 123 --dport 123 -m state --state RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
+-A INPUT -p tcp -m multiport --sports 80,8080,443 -m state --state RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
+-A INPUT -s {{ app_ip }}/32 -p udp -m udp --dport 1514 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT
+{% for address in dns_server -%}
+-A INPUT -s {{ address }}/32 -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+-A INPUT -s {{ address }}/32 -p udp -m udp --sport 53 -m state --state RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+{% endfor -%}
+-A INPUT -p tcp -m tcp --sport 587 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT
+-A INPUT -s {{ app_ip }}/32 -p tcp -m tcp --dport 22 -m comment --comment "Block explicitly SSH from the adjacent SD component" -j DROP
+-A INPUT -s {{ ssh_ip }}/32 -i {{ default_interface }} -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -m comment --comment "Rate limit incoming ssh traffic" -j ACCEPT
+-A INPUT -s {{ ssh_ip }}/32 -i {{ default_interface }} -p tcp -m tcp --dport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -i lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
+-A INPUT -p tcp -m state --state INVALID -m comment --comment "drop but do not log inbound invalid state packets" -j DROP
+-A INPUT -m comment --comment "Drop and log all other incoming traffic" -j LOGNDROP
+-A OUTPUT -p tcp -m owner --uid-owner {{ tor_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow tor outbound" -j ACCEPT
+-A OUTPUT -m owner --uid-owner {{ tor_user_id }} -m comment --comment "Drop all other traffic for tor" -j LOGNDROP
+-A OUTPUT -m owner --gid-owner {{ ssh_group_gid }} -m comment --comment "Drop all other outbound traffic for ssh user" -j LOGNDROP
+{% for address in dns_server -%}
+-A OUTPUT -d {{ address }}/32 -p tcp -m tcp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+-A OUTPUT -d {{ address }}/32 -p udp -m udp --dport 53 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "tcp/udp dns" -j ACCEPT
+{% endfor -%}
+-A OUTPUT -p udp -m udp --sport 123 --dport 123 -m owner --uid-owner 0 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment ntp -j ACCEPT
+-A OUTPUT -p tcp -m multiport --dports 80,8080,443 -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "apt updates" -j ACCEPT
+-A OUTPUT -d {{ app_ip }}/32 -p udp -m udp --sport 1514 -m state --state RELATED,ESTABLISHED -m comment --comment "Allow OSSEC agent to monitor" -j ACCEPT
+{% for address in dns_server -%}
+-A OUTPUT -d {{ address }}/32 -p tcp -m tcp --dport 53 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT
+-A OUTPUT -d {{ address }}/32 -p udp -m udp --dport 53 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "postfix dns rule" -j ACCEPT
+{% endfor -%}
+-A OUTPUT -p tcp -m tcp --dport 587 -m owner --uid-owner {{ postfix_user_id }} -m state --state NEW,RELATED,ESTABLISHED -m comment --comment "Allow ossec email alerts out" -j ACCEPT
+-A OUTPUT -o {{ default_interface }} -p tcp -m owner --uid-owner 0 -m tcp --sport 22 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -o lo -m comment --comment "Allow lo to lo traffic all protocols" -j ACCEPT
+-A OUTPUT -m comment --comment "Drop all other outgoing traffic" -j DROP
+-A LOGNDROP -p tcp -m limit --limit 5/min -j LOG --log-tcp-options --log-ip-options --log-uid
+-A LOGNDROP -p udp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
+-A LOGNDROP -p icmp -m limit --limit 5/min -j LOG --log-ip-options --log-uid
+-A LOGNDROP -j DROP
+COMMIT
@@ -13,6 +13,8 @@
 @pytest.mark.skip_in_prod
 def test_mon_iptables_rules(host):
 
+    local = host.get_host("local://")
+
     # Build a dict of variables to pass to jinja for iptables comparison
     kwargs = dict(
         app_ip=os.environ.get('APP_IP', securedrop_test_vars.app_ip),
@@ -23,9 +25,13 @@ def test_mon_iptables_rules(host):
         postfix_user_id=host.check_output("id -u postfix"),
         dns_server=securedrop_test_vars.dns_server)
 
+    # Required for testing under Qubes.
+    if local.interface("eth0").exists:
+        kwargs["ssh_ip"] = local.interface("eth0").addresses[0]
+
     # Build iptables scrape cmd, purge comments + counters
     iptables = r"iptables-save | sed 's/ \[[0-9]*\:[0-9]*\]//g' | egrep -v '^#'"
-    environment = os.environ.get("CI_SD_ENV", "staging")
+    environment = os.environ.get("SECUREDROP_TESTINFRA_TARGET_HOST", "staging")
     iptables_file = "{}/iptables-mon-{}.j2".format(
         os.path.dirname(os.path.abspath(__file__)),
         environment)

@@ -0,0 +1,83 @@
+---
+# Testinfra vars file for app-staigng.
+wanted_apache_headers:
+  - 'Header edit Set-Cookie ^(.*)$ $1;HttpOnly'
+  - 'Header always append X-Frame-Options: DENY'
+  - 'Header set Referrer-Policy "same-origin"'
+  - 'Header set X-XSS-Protection: "1; mode=block"'
+  - 'Header set X-Content-Type-Options: nosniff'
+  - 'Header set X-Download-Options: noopen'
+  - "Header set X-Content-Security-Policy: \"default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';\""
+  - "Header set Content-Security-Policy: \"default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self'; font-src 'self';\""
+  - 'Header unset Etag'
+
+securedrop_venv: /opt/venvs/securedrop-app-code
+securedrop_venv_bin: "{{ securedrop_venv }}/bin"
+securedrop_venv_site_packages: "{{ securedrop_venv }}/lib/python3.5/site-packages"
+securedrop_code: /var/www/securedrop
+securedrop_data: /var/lib/securedrop
+securedrop_user: www-data
+
+app_hostname: app-staging
+monitor_hostname: mon-staging
+
+apache_listening_address: 127.0.0.1
+apache_source_log: /var/log/apache2/source-error.log
+apache_allow_from: 127.0.0.1
+
+dns_server:
+  - 8.8.8.8
+  - 8.8.4.4
+mon_ip: 10.137.0.51
+app_ip: 10.137.0.50
+
+pip_deps:
+  - name: 'Flask'
+    version: '1.0.2'
+
+apparmor_complain: []
+
+app_directories:
+  - /var/www/securedrop
+  - /var/lib/securedrop
+  - /var/lib/securedrop/store
+  - /var/lib/securedrop/keys
+  - /var/lib/securedrop/tmp
+
+tor_services:
+  - name: source
+    ports:
+      - "80"
+    authenticated: no
+    version: 2
+
+  - name: journalist
+    ports:
+      - "80"
+      - "8080"
+    authenticated: yes
+    client: journalist
+    version: 2
+
+  - name: journalistv3
+    ports:
+      - "80"
+    authenticated: yes
+    version: 3
+
+  - name: sourcev3
+    ports:
+      - "80"
+    authenticated: no
+    version: 3
+
+# Staging permits presence of "source-error.log".
+allowed_apache_logfiles:
+  - /var/log/apache2/access.log
+  - /var/log/apache2/error.log
+  - /var/log/apache2/journalist-access.log
+  - /var/log/apache2/journalist-error.log
+  - /var/log/apache2/other_vhosts_access.log
+  - /var/log/apache2/source-error.log
+
+fpf_apt_repo_url: "https://apt-test.freedom.press"