Address review feedback

- Fail faster when upgrading apt. - Provide a more descriptive message if apt traffic is redirected.
freedomofpress · Jan 24, 2019 · cf84a81 · cf84a81
1 parent 4204d02
commit cf84a81
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/install_files/ansible-base/roles/install-fpf-repo/tasks/upgrade_apt.yml b/install_files/ansible-base/roles/install-fpf-repo/tasks/upgrade_apt.yml
@@ -3,14 +3,24 @@
 # If apt < 1.4.9, it is vulnerable to CVE-2019-3462 and we must ensure no
 # redirects are followed when updating apt via apt.
 - name: Upgrade apt without following redirects
-  shell : |
-    apt -o Acquire::http::AllowRedirect=false update
+  shell : >
+    apt -o Acquire::http::AllowRedirect=false update &&
     apt -o Acquire::http::AllowRedirect=false --only-upgrade -y install apt
   become: yes
   register: _apt_upgrade_command_output_results
   changed_when: "'1 upgraded, 0 newly installed, 0 to remove' in _apt_upgrade_command_output_results.stdout"
   tags: apt
 
+- name: Inform user that apt traffic is being redirected
+  assert:
+    that:
+      - "'302 Found' not in _apt_upgrade_command_output_results.stdout"
+      - "'302 Found' not in _apt_upgrade_command_output_results.stderr"
+    fail_msg: >-
+      It appears your apt traffic is being redirected.
+      SecureDrop cannot be installed. For details, see
+      https://github.com/freedomofpress/securedrop/issues/4058
+
 - name: Get apt version
   shell: dpkg-query --showformat='${Version}' --show apt
   register: _apt_query_command_output_result
@@ -20,14 +30,14 @@
 
 - name: Verify that the version of apt installed is not vulnerable to 2019-3462 (Xenial)
   assert:
-    that: "{{ _apt_query_command_output_result.stdout is version('1.2.29ubuntu0.1', '>=') }}"
+    that: _apt_query_command_output_result.stdout is version('1.2.29ubuntu0.1', '>=')
   when: ansible_distribution_release == 'xenial'
   tags:
     - apt
 
 - name: Verify that the version of apt installed is not vulnerable to 2019-3462 (Trusty)
   assert:
-    that: "{{ _apt_query_command_output_result.stdout is version('1.0.1ubuntu2.19', '>=') }}"
+    that: _apt_query_command_output_result.stdout is version('1.0.1ubuntu2.19', '>=')
   when: ansible_distribution_release == 'trusty'
   tags:
     - apt