Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Uses tags for RPC grants denoting Client privileges #299

Merged
merged 2 commits into from
Jul 25, 2019
Merged

Uses tags for RPC grants denoting Client privileges #299

merged 2 commits into from
Jul 25, 2019

Conversation

conorsch
Copy link
Contributor

@conorsch conorsch commented Jul 24, 2019
edited
Loading

Updates the Qubes RPC policy definitions to use a tag sd-client rather than hardcoded VM name sd-svs, in order to accommodate dev envs on Qubes for working on the SecureDrop Client. Related issues:

Testing

  1. In dom0, run make clone && make clean && make all
  2. Confirm that make test passes without errors
  3. Run qvm-tags sd-dev add sd-client
  4. Proceed with review of Supports opening submissions in DispVMs from Qubes dev env securedrop-client#490 to confirm new tagging setup permits sd-dev to open Client submissions in DispVMs

Conor Schaefer added 2 commits July 24, 2019 10:43
Converts RPC sd-svs -> $tag:sd-client
784076d 
We use a tag rather than a hardcoded AppVM name to support flexibility
configuration. In the main, this is useful to developers, so that the
`sd-dev` AppVM can be tagged with `sd-client`, and thereby make calls as
though it were `sd-svs`. The Salt logic does not create `sd-dev`, it's
up to the developer to configure that machine.

Includes corresponding config test updates to validate the RPC policy
changes. There are no functional changes to sd-svs grants, merely the
possibility that other VMs can be manually granted similar capability.

Includes docs, recommending that developers add the new `sd-client` tag
to the dev VM manually, if working on the Client code.
Removes Salt config for securedrop-client package files
c7383e5 
We're folding the mimetype handlers and profile settings into the
"securedrop-client" debian package, so removing the corresponding Salt
config tasks here. The pyqt dependencies are already include in the
securedrop-client control file, so we don't need to redeclare them here.

Updates config tests to validate file contents, still, but without
direct file comparison, since the files have been removed from this
repo.
@conorsch conorsch requested review from sssoleileraaa and emkll July 24, 2019 15:11
@conorsch conorsch mentioned this pull request Jul 24, 2019
Merged
2 tasks
@conorsch conorsch marked this pull request as ready for review July 24, 2019 15:33
@eloquence eloquence mentioned this pull request Jul 24, 2019
Closed
sssoleileraaa
sssoleileraaa approved these changes Jul 25, 2019
View reviewed changes
Copy link
Contributor

@sssoleileraaa sssoleileraaa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

works as advertised

@sssoleileraaa sssoleileraaa merged commit bdbcaa7 into master Jul 25, 2019
@sssoleileraaa sssoleileraaa deleted the 288-use-tags-for-client-grants branch July 25, 2019 16:24
@conorsch conorsch mentioned this pull request Aug 7, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sssoleileraaa sssoleileraaa sssoleileraaa approved these changes

@emkll emkll Awaiting requested review from emkll

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Change qubes-rpc policies to refer to the SVS VM by tag rather than name, to support development client VMs
2 participants
@conorsch @sssoleileraaa