Check for updates before most securedrop-admin commands #5788
Conversation
| if update_status is True: | ||
| sdlog.error("You are not running the most recent signed SecureDrop release " | ||
| "on this workstation.") | ||
| sdlog.error("Latest available version: {}".format(latest_tag)) |
There was a problem hiding this comment.
I wonder if we can also print the current branch/tag the repository is in.
There was a problem hiding this comment.
I played with that as well in an earlier version. The problem is that the current_tag variable is only useful for version comparisons, as it produces highly confusing output e.g., on develop, due to its reliance on git describe. For current develop, that results in 0.6-rc2-2646-g5eaad3b04 (!), as that's the most recent reachable tag. In addition to a branch or tag, the local repo may be in HEAD detached state, or in any of a number of different git states (dirty repo, rebase in progress, etc.).
The first line of git status is generally informative, as is the starred line of git branch. We could collect either line (we should probably do so in check_for_updates) and print it out. I think that would be helpful to ease troubleshooting.
I have a slight preference for git branch as its output tends to be a bit more terse. I would suggest doing this in a follow-up PR, to keep this one tightly scoped to the update check. Here's a one-liner for doing that in Python (without error handling):
re.search(r"\* (.*)\n", subprocess.check_output(['git', 'branch']).decode('utf-8')).group(1)
There was a problem hiding this comment.
I have no strong feelings one way or the other if the goal is just to print out the current branch/tag - but! the output from git status will also let you know if there are code changes in the repo (e.g. unsanctioned poking at ansible defaults), giving you a few more options:
you're on x branch/tag, update to <latest>you're on x branch/tag and there are changed files, resolve this then upgrade to latest
This is probably not going to be a one-liner though.
There was a problem hiding this comment.
For now pushed to a WIP branch: https://github.com/freedomofpress/securedrop/compare/5317-check-for-updates..5317-check-for-updates-debug-info
This tries to get us the best of both worlds:
- use
git branchfor terse information that can be included in the output - recommends using
git statusfor troubleshooting
Will still need its own test and may fail CI as-is. If the approach seems sound, happy to include in this PR, or in a follow-up PR, at the reviewer's discretion.
There was a problem hiding this comment.
Since review is still pending, I'll just clean this change up a bit further and fold it into this PR now.
There was a problem hiding this comment.
Done, and test plan updated. I've refrained from any further mangling of the git branch output as it's possible to use Tails in languages other than English.
eloquence
force-pushed
the
5317-check-for-updates
branch
from
3e0531e to
e63f6e9
Compare
|
(Rebased on latest |
|
(Added test plan and promoted to ready.) |
eloquence
force-pushed
the
5317-check-for-updates
branch
from
e63f6e9 to
033a9a6
Compare
Can be skipped with --force argument.
eloquence
force-pushed
the
5317-check-for-updates
branch
from
033a9a6 to
26e6087
Compare
There was a problem hiding this comment.
Code change looks good.
- Create a backup copy of your
~/Persistent/securedropas warranted. - Fetch all updates with
git fetch --alland check out git tag1.7.1 - Apply the changes from this branch via
git cherry-pick -n 75249c2ef9dc9ad383fa02e6c1fe9a3a4117b38d && git cherry-pick -n 26e608723fed7e7a0f166caed3d2e395583a02f1. This will stage the changes for commit -- you can verify this viagit diff --cached. - Run
securedrop-admin check_for_updates
- Observe that the command reports "All updates applied"
- Run
securedrop-admin logs
- Observe that securedrop-admin checks for updates before running the playbook
- Observe that securedrop-admin attempts to run the logs playbook
- Switch to an older tag (you may need to discard re-apply the changes)
- Run
securedrop-admin logs
- Observe that securedrop-admin checks for updates and reports that updates are available
- Observe that securedrop-admin fails to complete due to a version mismatch
- Observe that securedrop-admin reports the checked out tag as
Current branch status
- Run
securedrop-admin --force logs
- Observe that securedrop-admin now skips the update check and runs the logs playbook
- Check out the
developbranch and repeat steps 7 and 8 and the associated checks. - Bounce the network connection in Tails.
- Observe that the graphical updater runs to completion and puts you back on the 1.7.1 tag.
- (Optional) Test and observe that all
securedrop-adminsubcommands annotated via the decorator (see diff) run the update check and produce the expected help output
- Discard the unstaged changes with
git reset --hard.
Status
Ready for review
Description of Changes
Fixes #5317
Provides a new decorator,
@update_check_required, and adds it tosecuredrop-adminsubcommands which make significant modifications on the workstation or the server. If the update check detects a need to update (using the existing logic insecuredrop-admin), it will display a message explaining how to update. A--forceoption is provided in case the user wishes to intentionally run a subcommand with a playbook version that differs from the most recent signed release tag (e.g., during QA).Testing
This change is best tested on a real or virtualized Admin Workstation in Tails.
~/Persistent/securedropas warranted.git fetch --alland check out git tag1.7.1git cherry-pick -n 75249c2ef9dc9ad383fa02e6c1fe9a3a4117b38d && git cherry-pick -n 26e608723fed7e7a0f166caed3d2e395583a02f1. This will stage the changes for commit -- you can verify this viagit diff --cached.securedrop-admin check_for_updatessecuredrop-admin logssecuredrop-admin logsCurrent branch statussecuredrop-admin --force logsdevelopbranch and repeat steps 7 and 8 and the associated checks.securedrop-adminsubcommands annotated via the decorator (see diff) run the update check and produce the expected help outputgit reset --hard.Deployment
Note that this will only be available to users after the next workstation update.
Checklist
If you made changes to
securedrop-admin:make -C admin test) pass in the admin development containerIf you made non-trivial code changes:
Docs
While this change is largely self-documenting and does not conflict with previous guidance, I intend to add a brief explanation to the documentation, in particular https://docs.securedrop.org/en/stable/admin.html#the-securedrop-admin-utility