Adds option to restore from backup file already on server.

[zenmonkeykstop]

Status

Ready for review

Description of Changes

Fixes #5906 .

when the --no-transfer argument is used with ./securedrop-admin restore,
instead of transferring the backup tarball to the Application Server, the
local copy of the tarball will be compared with an expected remote file of the
same name in /tmp on the server. If checksums match, the remote copy will be
used to perform the backup.

This is intended to address cases where backups are too large to reliably
transmit over Tor via the Ansible synchronize module. Instead, backups can be
copied to the server using rsync, or via an encrypted transfer USB.

Testing

• Acquire some backup files (one v2-only (v2-only.tar.gz), one v2+v3(v2nv3.tar.gz))

• Set up a prod Focal instance

• switch to this branch on the admin workstation

• copy the backup files to the ad admin home directory on the app server

• on the app server: sudo cp v2nv3.tar.gz /tmp/v2-only.tar.gz

• on the admin workstation: ./securedrop-admin --force restore --preserve-tor-config --no-transfer install_files/ansible-base/v2-only.tar.gz

  • confirm that the restore process quits with a message about a checksum mismatch without performing any server-side steps.

• on the app server: sudo cp v2-only.tar.gz /tmp/

• on the admin workstation: ./securedrop-admin --force restore --preserve-tor-config --no-transfer install_files/ansible-base/v2-only.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does not run.

• on the app server: sudo rm /tmp/v2-only.tar.gz

• on the admin workstation: ./securedrop-admin --force restore --preserve-tor-config install_files/ansible-base/v2-only.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does run.

• on the app server: sudo cp v2-only.tar.gz /tmp/v2nv3.tar.gz

• on the admin workstation: ./securedrop-admin --force restore --no-transfer install_files/ansible-base/v2nv3.tar.gz

  • confirm that the restore process quits with a message about a checksum mismatch without performing any server-side steps.

• on the app server: sudo cp v2nv3.tar.gz /tmp/

• on the admin workstation: ./securedrop-admin --force restore --no-transfer install_files/ansible-base/v2nv3.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does not run.

• on the app server: sudo rm /tmp/v2nv3.tar.gz

• on the admin workstation: ./securedrop-admin --force restore --no-transfer install_files/ansible-base/v2nv3.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does run.

• for extra points, try playing around with other backup files - take chances, make mistakes, get messy!

Deployment

Deployed with admin workstaiton update

Checklist

If you made changes to securedrop-admin:

• Linting and tests (make -C admin test) pass in the admin development container

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

Choose one of the following:

• I have opened a PR in the docs repo for these changes, or will do so later
• I would appreciate help with the documentation
• These changes do not require documentation

[rmol]

What do you think about allowing a full path, to allow for /tmp on the server not having enough free space?

[zenmonkeykstop]

I'm not in favour of it - points against:

• The SD setup instructions as they stand don't result in a separate /tmp partition, so if there's enough space on / this isn't an issue - and the backup job would have failed in the first place as it also uses /tmp
• this is the current backup location - it would introduce more changes and would require extra work to make sure backup tempfiles are purged from whatever alternate location was specified.

[emkll]

In general, writing sensitive files to /tmp is not recommended [1], due to the permissions of that partition, and the ability of all system users to write to it. In this case, the servers are effectively single-user systems, so the risks are relatively low, but in the case where an attacker has unprivileged access to the system, they may have access to more information.

[1] some links/references in https://security.openstack.org/guidelines/dg_using-temporary-files-securely.html

[kushaldas]

The following steps failed:

• on the app server: sudo cp v2nv3.tar.gz /tmp/
• on the admin workstation: ./securedrop-admin --force restore --no-transfer install_files/ansible-base/v2nv3.tar.gz
  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does not run.
• on the app server: sudo rm /tmp/v2nv3.tar.gz
• on the admin workstation: ./securedrop-admin --force restore --no-transfer install_files/ansible-base/v2nv3.tar.gz
  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does run.

The error message:

TASK [restore : Verify that local and remote backup file checksums match] **************************************
fatal: [app]: FAILED! => {}

MSG:

The conditional check 'remote_backup_file.stat.checksum == local_backup_file.stat.checksum' failed. The error was: error while evaluating conditional (remote_backup_file.stat.checksum == local_backup_file.stat.checksum): 'dict object' has no attribute 'checksum'

NO MORE HOSTS LEFT *********************************************************************************************

NO MORE HOSTS LEFT *********************************************************************************************

PLAY RECAP *****************************************************************************************************
app                        : ok=10   changed=6    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

[kushaldas]

I guess the test step is wrong, -no-transfer should not be there in the command for that final test.

[kushaldas]

Tested with

• on the admin workstation: ./securedrop-admin --force restore --preserve-tor-config --no-transfer install_files/ansible-base/v2-only.tar.gz

  • confirm that the restore process quits with a message about a checksum mismatch without performing any server-side steps.

• on the app server: sudo cp v2-only.tar.gz /tmp/

• on the admin workstation: ./securedrop-admin --force restore --preserve-tor-config --no-transfer install_files/ansible-base/v2-only.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does not run.

• on the app server: sudo rm /tmp/v2-only.tar.gz

• on the admin workstation: ./securedrop-admin --force restore --preserve-tor-config install_files/ansible-base/v2-only.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does run.

• on the app server: sudo cp v2-only.tar.gz /tmp/v2nv3.tar.gz

• on the admin workstation: ./securedrop-admin --force restore --no-transfer install_files/ansible-base/v2nv3.tar.gz

  • confirm that the restore process quits with a message about a checksum mismatch without performing any server-side steps.

• on the app server: sudo cp v2nv3.tar.gz /tmp/

• on the admin workstation: ./securedrop-admin --force restore --no-transfer install_files/ansible-base/v2nv3.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does not run.

• on the app server: sudo rm /tmp/v2nv3.tar.gz

• on the admin workstation: ./securedrop-admin --force restore install_files/ansible-base/v2nv3.tar.gz

  • confirm that the restore process completes sucessfully, and that the task to transfer the tarball does run.

I am okay to merge this. Will do so after the standup.