Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release SecureDrop 1.6.0 #5501

Closed
22 tasks done
emkll opened this issue Sep 16, 2020 · 6 comments · Fixed by #5569
Closed
22 tasks done

Release SecureDrop 1.6.0 #5501

emkll opened this issue Sep 16, 2020 · 6 comments · Fixed by #5569

Comments

@emkll
Copy link
Contributor

emkll commented Sep 16, 2020
edited by zenmonkeykstop
Loading

This is a tracking issue for the release of SecureDrop 1.6.0

Tentatively scheduled as follows:

String and feature freeze: 2020-09-23
String comment period: 2020-09-23 to 2020-09-29
Translation period: 2020-09-29 to 2020-10-06
Pre-release announcement: 2020-09-30
Release date: 2020-10-07

Release manager: @emkll
Deputy release manager: @zenmonkeykstop
Localization manager: @kushaldas
Deputy localization manager: @conorsch
Communications manager: @rocodes

SecureDrop maintainers and testers: As you QA 1.6.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 1.6.0 milestone for tracking (or ask a maintainer to do so).

Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.

QA Matrix for 1.6.0

Test Plan for 1.6.0

Prepare release candidate (1.6.0~rc1)

Prepare release candidate (1.6.0~rc2)

After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and 1.6.0-specific testing below in comments to this ticket.

Final release

Post release
@emkll emkll pinned this issue Sep 16, 2020
@emkll emkll mentioned this issue Sep 24, 2020
Merged
3 tasks
@emkll
Copy link
Contributor Author

emkll commented Sep 28, 2020
edited
Loading

Cron-apt upgrade on Mac mini (with nuc5 mon server) - Complete

Environment

  • Install target: Mac mini app server, NUC5 mon server
  • Tails version: 4.11
  • Test Scenario: cron-apt upgrade from 1.5.0
  • SSH over Tor: Yes
  • Onion service version: v3
  • Release candidate: RC1
  • General notes:

Basic Server Testing

  • I can access both the source and journalist interfaces
  • I can SSH into both machines over Tor
  • AppArmor is loaded on app
    • 0 processes are running unconfined
  • AppArmor is loaded on mon
    • 0 processes are running unconfined
  • Both servers are running grsec kernels
  • iptables rules loaded
  • OSSEC emails begin to flow after install
  • OSSEC emails are decrypted to correct key and I am able to decrypt them
  • After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
    • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
    • Run tests with ./securedrop-admin verify (this will take a while)
    • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
  • QA Matrix checks pass

Command Line User Generation

  • Can successfully add admin user and login

Administration

  • I have backed up and successfully restored the app server following the backup documentation
  • If doing upgrade testing, make a backup on 1.5.0 and restore this backup on 1.6.0
  • "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
  • DID NOT TEST Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases
  • JS warning bar does not appear when using Security Slider high
  • JS warning bar does appear when using Security Slider Low
First submission base cases
  • On generate page, refreshing codename produces a new 7-word codename
  • On submit page, empty submissions produce flashed message
  • On submit page, short message submitted successfully
  • On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • Nonexistent codename cannot log in
  • Empty codename cannot log in
  • Legitimate codename can log in
  • Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • Can log in with 2FA tokens
  • incorrect password cannot log in
  • invalid 2fa token cannot log in
  • 2fa immediate reuse cannot log in
  • Journalist account with HOTP can log in
Index base cases
  • Filter by codename works
  • Starring and unstarring works
  • Click select all selects all submissions
  • Selecting all and clicking "Download" works
Individual source page
  • You can submit a reply and a flashed message and new row appears
  • You cannot submit an empty reply
  • Clicking "Delete Source And Submissions" and the source and docs are deleted
  • You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

  • The Updater GUI appears on boot
  • DID NOT TEST Updating occurs without issue

1.6.0 release-specific changes

Journalist API changes

  • /users endpoint works as expected and does not include is_admin (Add /users endpoint #5506)
  • seen/unseen (bolded) behavior in the JI works as expected (downloaded/not downloaded) (Add seen tables and update seen status based on downloads in JI #5505)
  • Test the new /seen endpoint (API changes for listing/marking source conversation items that have been seen by journalists #5513).

    • Visit the source interface and submit a file and a message.

    • Store the journalist interface URL in the JI environment variable, e.g. export JI=http://your-JI-address-here.onion

    • Create a new journalist account with manage.py add-journalist

    • Get an API token with it (using its actual credentials, of course):

      export TOKEN=$(torify curl -s -X POST -H "Content-Type: application/json" --data '{"username":"journalist","passphrase":"correct horse battery
staple profanity oil chewy","one_time_code":"935664"}' ${JI}/api/v1/token | jq -r .token)

    • List current submissions:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/submissions | jq

      All should have a seen_by property, but the new journalist's UUID should not appear in any of them.

    • Mark the message you submitted as a source seen (correct the UUID in the command below):

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"messages": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 200, the response {"message":"resources marked seen"}.

    • Mark the same message seen again. There should be no error.

    • Retrieve /submissions again. The message's seen_by list should now contain your journalist account's UUID.

    • Visit the source of the message in the journalist interface. The message you marked should not be listed in bold text. Clicking "Select unread" should not select that message.

    • Visit the source list in the journalist interface. Select the source of the message you marked and click "Download Unread". The zip file you receive should not contain the seen message.

    • Now submit the same request, but specifying that the UUID belongs to a file:

      torify curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"files": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 404, the response {"error":"Not Found","message":"file not found: e711d29d-d0a1-440f-80e4-6642b77ec3ea"}.

    • Repeat the same checks for the submitted file.

    • In the journalist interface, reply to your test source.

    • Create another journalist account.

    • Get another API token for the second journalist account.

    • Retrieve the list of all replies:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/replies | jq

      Only the UUID of the journalist that replied should be listed in the reply's seen_by list.

    • Mark the reply read by the second journalist:

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"replies": ["06bed593-f2d6-46eb-b85f-23adc7ea290d"]}' ${JI}/api/v1/seen

    • Hit /replies again and confirm that the second journalist's UUID appears in the reply's seen_by list.

Packaging changes

There are 5 .pyc files for psutil Also checked there are .pyc files in the __pycache__ folder of all dependencies in site-packages. The timestamp resolves to install/upgrade time, they are probably generated locally?:

Upgrade testing only:

@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Sep 30, 2020
edited
Loading

QA plan

  • NUC5s
  • NUC7s
  • Mac Minis
  • 1U test servers

1.6.0 QA Checklist

For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report. Note that in order to test #5483, you should select multiple languages when running ./securedrop-admin sdconfig.

If you have submitted a QA report already for a 1.6.0 release candidate with successful basic server testing and application acceptance testing sections, then you can skip these sections in subsequent reports, unless otherwise indicated by the Release Manager. This is to ensure that you focus your QA effort on the 1.6.0-specific changes as well as changes since the previous release candidate.

Environment

  • Install target: VMs
  • Tails version: 4.11
  • Test Scenario: update
  • SSH over Tor: yes
  • Onion service version: v2+v3
  • Release candidate: rc1
  • General notes:

Basic Server Testing

  • I can access both the source and journalist interfaces
  • I can SSH into both machines over Tor
  • AppArmor is loaded on app
    • 0 processes are running unconfined
  • AppArmor is loaded on mon
    • 0 processes are running unconfined
  • Both servers are running grsec kernels
  • iptables rules loaded
  • OSSEC emails begin to flow after install
  • OSSEC emails are decrypted to correct key and I am able to decrypt them not tested
  • After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
    • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
    • Run tests with ./securedrop-admin verify (this will take a while)
    • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup IP-based tests failing but otherwise good
  • QA Matrix checks pass

Command Line User Generation

  • Can successfully add admin user and login

Administration

  • I have backed up and successfully restored the app server following the backup documentation
  • If doing upgrade testing, make a backup on 1.5.0 and restore this backup on 1.6.0
  • "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
  • Can successfully add journalist account with HOTP authentication not tested

Application Acceptance Testing

Source Interface

Landing page base cases
  • JS warning bar does not appear when using Security Slider high
  • JS warning bar does appear when using Security Slider Low
First submission base cases
  • On generate page, refreshing codename produces a new 7-word codename
  • On submit page, empty submissions produce flashed message
  • On submit page, short message submitted successfully
  • On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • Nonexistent codename cannot log in
  • Empty codename cannot log in
  • Legitimate codename can log in
  • Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • Can log in with 2FA tokens
  • incorrect password cannot log in
  • invalid 2fa token cannot log in
  • 2fa immediate reuse cannot log in
  • Journalist account with HOTP can log in not tested
Index base cases
  • Filter by codename works
  • Starring and unstarring works
  • Click select all selects all submissions
  • Selecting all and clicking "Download" works
Individual source page
  • You can submit a reply and a flashed message and new row appears
  • You cannot submit an empty reply
  • Clicking "Delete Source And Submissions" and the source and docs are deleted
  • You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

  • The Updater GUI appears on boot
  • Updating occurs without issue timed out, possibly due to general VM sluggishness

1.6.0 release-specific changes

Journalist API changes

  • /users endpoint works as expected and does not include is_admin (Add /users endpoint #5506)
  • seen/unseen (bolded) behavior in the JI works as expected (downloaded/not downloaded) (Add seen tables and update seen status based on downloads in JI #5505)
  • Test the new /seen endpoint (API changes for listing/marking source conversation items that have been seen by journalists #5513).

    • Visit the source interface and submit a file and a message.

    • Store the journalist interface URL in the JI environment variable, e.g. export JI=http://your-JI-address-here.onion

    • Create a new journalist account with manage.py add-journalist

    • Get an API token with it (using its actual credentials, of course):

      export TOKEN=$(torify curl -s -X POST -H "Content-Type: application/json" --data '{"username":"journalist","passphrase":"correct horse battery
staple profanity oil chewy","one_time_code":"935664"}' ${JI}/api/v1/token | jq -r .token)

    • List current submissions:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/submissions | jq

      All should have a seen_by property, but the new journalist's UUID should not appear in any of them.

    • Mark the message you submitted as a source seen (correct the UUID in the command below):

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"messages": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 200, the response {"message":"resources marked seen"}.

    • Mark the same message seen again. There should be no error.

    • Retrieve /submissions again. The message's seen_by list should now contain your journalist account's UUID.

    • Visit the source of the message in the journalist interface. The message you marked should not be listed in bold text. Clicking "Select unread" should not select that message.

    • Visit the source list in the journalist interface. Select the source of the message you marked and click "Download Unread". The zip file you receive should not contain the seen message.

    • Now submit the same request, but specifying that the UUID belongs to a file:

      torify curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"files": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 404, the response {"error":"Not Found","message":"file not found: e711d29d-d0a1-440f-80e4-6642b77ec3ea"}.

    • Repeat the same checks for the submitted file.

    • In the journalist interface, reply to your test source.

    • Create another journalist account.

    • Get another API token for the second journalist account.

    • Retrieve the list of all replies:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/replies | jq

      Only the UUID of the journalist that replied should be listed in the reply's seen_by list.

    • Mark the reply read by the second journalist:

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"replies": ["06bed593-f2d6-46eb-b85f-23adc7ea290d"]}' ${JI}/api/v1/seen

    • Hit /replies again and confirm that the second journalist's UUID appears in the reply's seen_by list.

Packaging changes

Upgrade testing only:

Preflight

  • Ensure the builder image is up-to-date on release day

These tests should be performed the day of release prior to live debian packages on apt.freedom.press

Basic testing

  • Install or upgrade occurs without error
  • Source interface is available and version string indicates it is 1.6.0
  • A message can be successfully submitted

Tails

  • The updater GUI appears on boot
  • The update successfully occurs to 1.6.0
  • After reboot, updater GUI no longer appears

@rmol
Copy link
Contributor

rmol commented Sep 30, 2020

Environment

  • Install target: NUC 7i5BNH
  • Tails version: 4.11
  • Test Scenario: cron-apt upgrade
  • SSH over Tor: yes
  • Onion service version: v3
  • Release candidate: rc1
  • General notes:

Basic Server Testing

  • I can access both the source and journalist interfaces
  • I can SSH into both machines over Tor
  • AppArmor is loaded on app
    • 0 processes are running unconfined
  • AppArmor is loaded on mon
    • 0 processes are running unconfined
  • Both servers are running grsec kernels
  • iptables rules loaded
  • OSSEC emails begin to flow after install
  • OSSEC emails are decrypted to correct key and I am able to decrypt them
  • After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
    • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
    • Run tests with ./securedrop-admin verify (this will take a while)
    • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
  • QA Matrix checks pass

Command Line User Generation

  • Can successfully add admin user and login

Administration

  • I have backed up and successfully restored the app server following the backup documentation
  • If doing upgrade testing, make a backup on 1.5.0 and restore this backup on 1.6.0
  • "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
  • Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases
  • JS warning bar does not appear when using Security Slider high
  • JS warning bar does appear when using Security Slider Low
First submission base cases
  • On generate page, refreshing codename produces a new 7-word codename
  • On submit page, empty submissions produce flashed message
  • On submit page, short message submitted successfully
  • On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • Nonexistent codename cannot log in
  • Empty codename cannot log in
  • Legitimate codename can log in
  • Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • Can log in with 2FA tokens
  • incorrect password cannot log in
  • invalid 2fa token cannot log in
  • 2fa immediate reuse cannot log in
  • Journalist account with HOTP can log in
Index base cases
  • Filter by codename works
  • Starring and unstarring works
  • Click select all selects all submissions
  • Selecting all and clicking "Download" works
Individual source page
  • You can submit a reply and a flashed message and new row appears
  • You cannot submit an empty reply
  • Clicking "Delete Source And Submissions" and the source and docs are deleted
  • You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

  • The Updater GUI appears on boot
  • Updating occurs without issue

1.6.0 release-specific changes

Journalist API changes

  • /users endpoint works as expected and does not include is_admin (Add /users endpoint #5506)
  • seen/unseen (bolded) behavior in the JI works as expected (downloaded/not downloaded) (Add seen tables and update seen status based on downloads in JI #5505)
  • Test the new /seen endpoint (API changes for listing/marking source conversation items that have been seen by journalists #5513).

    • Visit the source interface and submit a file and a message.

    • Store the journalist interface URL in the JI environment variable, e.g. export JI=http://your-JI-address-here.onion

    • Create a new journalist account with manage.py add-journalist

    • Get an API token with it (using its actual credentials, of course):

      export TOKEN=$(torify curl -s -X POST -H "Content-Type: application/json" --data '{"username":"journalist","passphrase":"correct horse battery
staple profanity oil chewy","one_time_code":"935664"}' ${JI}/api/v1/token | jq -r .token)

    • List current submissions:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/submissions | jq

      All should have a seen_by property, but the new journalist's UUID should not appear in any of them.

    • Mark the message you submitted as a source seen (correct the UUID in the command below):

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"messages": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 200, the response {"message":"resources marked seen"}.

    • Mark the same message seen again. There should be no error.

    • Retrieve /submissions again. The message's seen_by list should now contain your journalist account's UUID.

    • Visit the source of the message in the journalist interface. The message you marked should not be listed in bold text. Clicking "Select unread" should not select that message.

    • Visit the source list in the journalist interface. Select the source of the message you marked and click "Download Unread". The zip file you receive should not contain the seen message.

    • Now submit the same request, but specifying that the UUID belongs to a file:

      torify curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"files": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 404, the response {"error":"Not Found","message":"file not found: e711d29d-d0a1-440f-80e4-6642b77ec3ea"}.

    • Repeat the same checks for the submitted file.

    • In the journalist interface, reply to your test source.

    • Create another journalist account.

    • Get another API token for the second journalist account.

    • Retrieve the list of all replies:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/replies | jq

      Only the UUID of the journalist that replied should be listed in the reply's seen_by list.

    • Mark the reply read by the second journalist:

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"replies": ["06bed593-f2d6-46eb-b85f-23adc7ea290d"]}' ${JI}/api/v1/seen

    • Hit /replies again and confirm that the second journalist's UUID appears in the reply's seen_by list.

Packaging changes

Upgrade testing only:

This was referenced Oct 5, 2020
Merged
Merged
@rocodes rocodes mentioned this issue Oct 5, 2020
Merged
2 tasks
@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Oct 6, 2020
edited
Loading

QA plan

  • NUC5s
  • NUC7s
  • Mac Minis
  • 1U test servers

1.6.0 QA Checklist

For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report. Note that in order to test #5483, you should select multiple languages when running ./securedrop-admin sdconfig.

If you have submitted a QA report already for a 1.6.0 release candidate with successful basic server testing and application acceptance testing sections, then you can skip these sections in subsequent reports, unless otherwise indicated by the Release Manager. This is to ensure that you focus your QA effort on the 1.6.0-specific changes as well as changes since the previous release candidate.

Environment

  • Install target: 1U QA servers
  • Tails version: 4.11rc1
  • Test Scenario: upgrade
  • SSH over Tor: yes
  • Onion service version: v3
  • Release candidate: rc2
  • General notes:

Basic Server Testing

  • I can access both the source and journalist interfaces
  • I can SSH into both machines over Tor
  • AppArmor is loaded on app
    • 0 processes are running unconfined
  • AppArmor is loaded on mon
    • 0 processes are running unconfined
  • Both servers are running grsec kernels
  • iptables rules loaded
  • OSSEC emails begin to flow after install
  • OSSEC emails are decrypted to correct key and I am able to decrypt them not tested
  • After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
    • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
    • Run tests with ./securedrop-admin verify (this will take a while)
    • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
  • QA Matrix checks pass

Command Line User Generation

  • Can successfully add admin user and login

Administration

  • I have backed up and successfully restored the app server following the backup documentation
  • If doing upgrade testing, make a backup on 1.5.0 and restore this backup on 1.6.0 skipped
  • "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
  • Can successfully add journalist account with HOTP authentication skipped

Application Acceptance Testing

Source Interface

Landing page base cases
  • JS warning bar does not appear when using Security Slider high
  • JS warning bar does appear when using Security Slider Low
First submission base cases
  • On generate page, refreshing codename produces a new 7-word codename
  • On submit page, empty submissions produce flashed message
  • On submit page, short message submitted successfully
  • On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • Nonexistent codename cannot log in
  • Empty codename cannot log in
  • Legitimate codename can log in
  • Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • Can log in with 2FA tokens
  • incorrect password cannot log in
  • invalid 2fa token cannot log in
  • 2fa immediate reuse cannot log in
  • Journalist account with HOTP can log in
Index base cases
  • Filter by codename works
  • Starring and unstarring works
  • Click select all selects all submissions
  • Selecting all and clicking "Download" works
Individual source page
  • You can submit a reply and a flashed message and new row appears
  • You cannot submit an empty reply
  • Clicking "Delete Source And Submissions" and the source and docs are deleted
  • You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

  • The Updater GUI appears on boot
  • Updating occurs without issue

1.6.0 release-specific changes

Journalist API changes

  • /users endpoint works as expected and does not include is_admin (Add /users endpoint #5506)
  • seen/unseen (bolded) behavior in the JI works as expected (downloaded/not downloaded) (Add seen tables and update seen status based on downloads in JI #5505)
  • Test the new /seen endpoint (API changes for listing/marking source conversation items that have been seen by journalists #5513).

    • Visit the source interface and submit a file and a message.

    • Store the journalist interface URL in the JI environment variable, e.g. export JI=http://your-JI-address-here.onion

    • Create a new journalist account with manage.py add-journalist

    • Get an API token with it (using its actual credentials, of course):

      export TOKEN=$(torify curl -s -X POST -H "Content-Type: application/json" --data '{"username":"journalist","passphrase":"correct horse battery
staple profanity oil chewy","one_time_code":"935664"}' ${JI}/api/v1/token | jq -r .token)

    • List current submissions:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/submissions | jq

      All should have a seen_by property, but the new journalist's UUID should not appear in any of them.

    • Mark the message you submitted as a source seen (correct the UUID in the command below):

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"messages": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 200, the response {"message":"resources marked seen"}.

    • Mark the same message seen again. There should be no error.

    • Retrieve /submissions again. The message's seen_by list should now contain your journalist account's UUID.

    • Visit the source of the message in the journalist interface. The message you marked should not be listed in bold text. Clicking "Select unread" should not select that message.

    • Visit the source list in the journalist interface. Select the source of the message you marked and click "Download Unread". The zip file you receive should not contain the seen message.

    • Now submit the same request, but specifying that the UUID belongs to a file:

      torify curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"files": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 404, the response {"error":"Not Found","message":"file not found: e711d29d-d0a1-440f-80e4-6642b77ec3ea"}.

    • Repeat the same checks for the submitted file.

    • In the journalist interface, reply to your test source.

    • Create another journalist account.

    • Get another API token for the second journalist account.

    • Retrieve the list of all replies:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/replies | jq

      Only the UUID of the journalist that replied should be listed in the reply's seen_by list.

    • Mark the reply read by the second journalist:

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"replies": ["06bed593-f2d6-46eb-b85f-23adc7ea290d"]}' ${JI}/api/v1/seen

    • Hit /replies again and confirm that the second journalist's UUID appears in the reply's seen_by list.

Packaging changes skipped

Upgrade testing only:

Preflight

  • Ensure the builder image is up-to-date on release day

These tests should be performed the day of release prior to live debian packages on apt.freedom.press

Basic testing

  • Install or upgrade occurs without error
  • Source interface is available and version string indicates it is 1.6.0
  • A message can be successfully submitted

Tails

  • The updater GUI appears on boot
  • The update successfully occurs to 1.6.0
  • After reboot, updater GUI no longer appears

@emkll emkll mentioned this issue Oct 7, 2020
Merged
1 task
@emkll
Copy link
Contributor Author

emkll commented Oct 7, 2020
edited
Loading

Clean install - VMs (in progress)

Environment

  • Install target: Vagrant VMs
  • Tails version: 4.11
  • Test Scenario: Clean install in VMs (V3)
  • SSH over Tor: Yes
  • Onion service version: v3 only
  • Release candidate: rc2
  • General notes:

Basic Server Testing

  • I can access both the source and journalist interfaces
  • I can SSH into both machines over Tor
  • AppArmor is loaded on app
    • 0 processes are running unconfined
  • AppArmor is loaded on mon
    • 0 processes are running unconfined
  • Both servers are running grsec kernels
  • iptables rules loaded
  • OSSEC emails begin to flow after install
  • OSSEC emails are decrypted to correct key and I am able to decrypt them
  • After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
    • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
    • Run tests with ./securedrop-admin verify (this will take a while)
    • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
  • QA Matrix checks pass

Command Line User Generation

  • Can successfully add admin user and login

Administration

  • I have backed up and successfully restored the app server following the backup documentation
  • If doing upgrade testing, make a backup on 1.5.0 and restore this backup on 1.6.0
  • "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
  • Can successfully add journalist account with HOTP authentication

Application Acceptance Testing (DID NOT TEST)

Source Interface

Landing page base cases
  • JS warning bar does not appear when using Security Slider high
  • JS warning bar does appear when using Security Slider Low
First submission base cases
  • On generate page, refreshing codename produces a new 7-word codename
  • On submit page, empty submissions produce flashed message
  • On submit page, short message submitted successfully
  • On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • Nonexistent codename cannot log in
  • Empty codename cannot log in
  • Legitimate codename can log in
  • Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • Can log in with 2FA tokens
  • incorrect password cannot log in
  • invalid 2fa token cannot log in
  • 2fa immediate reuse cannot log in
  • Journalist account with HOTP can log in
Index base cases
  • Filter by codename works
  • Starring and unstarring works
  • Click select all selects all submissions
  • Selecting all and clicking "Download" works
Individual source page
  • You can submit a reply and a flashed message and new row appears
  • You cannot submit an empty reply
  • Clicking "Delete Source And Submissions" and the source and docs are deleted
  • You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

  • The Updater GUI appears on boot
  • Updating occurs without issue

1.6.0 release-specific changes

Journalist API changes

  • /users endpoint works as expected and does not include is_admin (Add /users endpoint #5506)
  • seen/unseen (bolded) behavior in the JI works as expected (downloaded/not downloaded) (Add seen tables and update seen status based on downloads in JI #5505)
  • Test the new /seen endpoint (API changes for listing/marking source conversation items that have been seen by journalists #5513).

    • Visit the source interface and submit a file and a message.

    • Store the journalist interface URL in the JI environment variable, e.g. export JI=http://your-JI-address-here.onion

    • Create a new journalist account with manage.py add-journalist

    • Get an API token with it (using its actual credentials, of course):

      export TOKEN=$(torify curl -s -X POST -H "Content-Type: application/json" --data '{"username":"journalist","passphrase":"correct horse battery
staple profanity oil chewy","one_time_code":"935664"}' ${JI}/api/v1/token | jq -r .token)

    • List current submissions:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/submissions | jq

      All should have a seen_by property, but the new journalist's UUID should not appear in any of them.

    • Mark the message you submitted as a source seen (correct the UUID in the command below):

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"messages": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 200, the response {"message":"resources marked seen"}.

    • Mark the same message seen again. There should be no error.

    • Retrieve /submissions again. The message's seen_by list should now contain your journalist account's UUID.

    • Visit the source of the message in the journalist interface. The message you marked should not be listed in bold text. Clicking "Select unread" should not select that message.

    • Visit the source list in the journalist interface. Select the source of the message you marked and click "Download Unread". The zip file you receive should not contain the seen message.

    • Now submit the same request, but specifying that the UUID belongs to a file:

      torify curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"files": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 404, the response {"error":"Not Found","message":"file not found: e711d29d-d0a1-440f-80e4-6642b77ec3ea"}.

    • Repeat the same checks for the submitted file.

    • In the journalist interface, reply to your test source.

    • Create another journalist account.

    • Get another API token for the second journalist account.

    • Retrieve the list of all replies:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/replies | jq

      Only the UUID of the journalist that replied should be listed in the reply's seen_by list.

    • Mark the reply read by the second journalist:

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"replies": ["06bed593-f2d6-46eb-b85f-23adc7ea290d"]}' ${JI}/api/v1/seen

    • Hit /replies again and confirm that the second journalist's UUID appears in the reply's seen_by list.

Packaging changes

Test 5549 (RC2-only)

  • on the Source interface, submit multiple messages (3+) as a source
  • on the Journalist interface, reply to the source
  • log into app server and delete the reply file and the first message (with filename 1-something-something-msg.gpg) from the source's directory in /var/lib/securedrop/store
  • in the Journalist interface, on the source's collection page, select the reply, the first message, and one other message, and click Delete Selected and then Delete in the modal:
    • Deletion completes with all selected submissions removed from the list
    • in staging, errors are logged in /var/log/apache2/journalist-error.log for both missing files
    • In staging, an error is logged listing the total number of disconnected db entries
  • click Delete Source and Submissions and then Delete in the modal
    • the source collection is deleted and the source is no longer listed in the all sources page
    • the source directory no longer exists in /var/lib/securedrop/store

Upgrade testing only:

@emkll emkll mentioned this issue Oct 7, 2020
Merged
3 tasks
@rmol
Copy link
Contributor

rmol commented Oct 7, 2020
edited
Loading

Environment

  • Install target: NUC 7i5BNH
  • Tails version: 4.11
  • Test Scenario: clean install on Ubuntu 16.04.7
  • SSH over Tor: yes
  • Onion service version: v3
  • Release candidate: rc2
  • General notes:

Basic Server Testing

  • I can access both the source and journalist interfaces
  • I can SSH into both machines over Tor
  • AppArmor is loaded on app
    • 0 processes are running unconfined
  • AppArmor is loaded on mon
    • 0 processes are running unconfined
  • Both servers are running grsec kernels
  • iptables rules loaded
  • OSSEC emails begin to flow after install
  • OSSEC emails are decrypted to correct key and I am able to decrypt them
  • After installing the testinfra dependencies, all tests in ./securedrop-admin verify are passing:
    • Install dependencies on Admin Workstation with cd ~/Persistent/securedrop && ./securedrop-admin setup -t
    • Run tests with ./securedrop-admin verify (this will take a while)
    • Remove test dependencies: rm -rf admin/.venv3/ && ./securedrop-admin setup
  • QA Matrix checks pass

Command Line User Generation

  • Can successfully add admin user and login

Administration

  • I have backed up and successfully restored the app server following the backup documentation
  • If doing upgrade testing, make a backup on 1.5.0 and restore this backup on 1.6.0
  • "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
  • Can successfully add journalist account with HOTP authentication

Application Acceptance Testing

Source Interface

Landing page base cases
  • JS warning bar does not appear when using Security Slider high
  • JS warning bar does appear when using Security Slider Low
First submission base cases
  • On generate page, refreshing codename produces a new 7-word codename
  • On submit page, empty submissions produce flashed message
  • On submit page, short message submitted successfully
  • On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • Nonexistent codename cannot log in
  • Empty codename cannot log in
  • Legitimate codename can log in
  • Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • Can log in with 2FA tokens
  • incorrect password cannot log in
  • invalid 2fa token cannot log in
  • 2fa immediate reuse cannot log in
  • Journalist account with HOTP can log in
Index base cases
  • Filter by codename works
  • Starring and unstarring works
  • Click select all selects all submissions
  • Selecting all and clicking "Download" works
Individual source page
  • You can submit a reply and a flashed message and new row appears
  • You cannot submit an empty reply
  • Clicking "Delete Source And Submissions" and the source and docs are deleted
  • You can click on a document and successfully decrypt using application private key

Basic Tails Testing

Updater GUI

After updating to this release candidate and running securedrop-admin tailsconfig

  • The Updater GUI appears on boot
  • Updating occurs without issue

1.6.0 release-specific changes

Journalist API changes

  • /users endpoint works as expected and does not include is_admin (Add /users endpoint #5506)
  • seen/unseen (bolded) behavior in the JI works as expected (downloaded/not downloaded) (Add seen tables and update seen status based on downloads in JI #5505)
  • Test the new /seen endpoint (API changes for listing/marking source conversation items that have been seen by journalists #5513).

    • Visit the source interface and submit a file and a message.

    • Store the journalist interface URL in the JI environment variable, e.g. export JI=http://your-JI-address-here.onion

    • Create a new journalist account with manage.py add-journalist

    • Get an API token with it (using its actual credentials, of course):

      export TOKEN=$(torify curl -s -X POST -H "Content-Type: application/json" --data '{"username":"journalist","passphrase":"correct horse battery
staple profanity oil chewy","one_time_code":"935664"}' ${JI}/api/v1/token | jq -r .token)

    • List current submissions:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/submissions | jq

      All should have a seen_by property, but the new journalist's UUID should not appear in any of them.

    • Mark the message you submitted as a source seen (correct the UUID in the command below):

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"messages": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 200, the response {"message":"resources marked seen"}.

    • Mark the same message seen again. There should be no error.

    • Retrieve /submissions again. The message's seen_by list should now contain your journalist account's UUID.

    • Visit the source of the message in the journalist interface. The message you marked should not be listed in bold text. Clicking "Select unread" should not select that message.

    • Visit the source list in the journalist interface. Select the source of the message you marked and click "Download Unread". The zip file you receive should not contain the seen message.

    • Now submit the same request, but specifying that the UUID belongs to a file:

      torify curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"files": ["e711d29d-d0a1-440f-80e4-6642b77ec3ea"]}' ${JI}/api/v1/seen

      The status should be 404, the response {"error":"Not Found","message":"file not found: e711d29d-d0a1-440f-80e4-6642b77ec3ea"}.

    • Repeat the same checks for the submitted file.

    • In the journalist interface, reply to your test source.

    • Create another journalist account.

    • Get another API token for the second journalist account.

    • Retrieve the list of all replies:

      torify curl -s -X GET -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" ${JI}/api/v1/replies | jq

      Only the UUID of the journalist that replied should be listed in the reply's seen_by list.

    • Mark the reply read by the second journalist:

      torify curl -is -X POST -H "Content-Type: application/json" -H "Authorization: Token $TOKEN" --data '{"replies": ["06bed593-f2d6-46eb-b85f-23adc7ea290d"]}' ${JI}/api/v1/seen

    • Hit /replies again and confirm that the second journalist's UUID appears in the reply's seen_by list.

Packaging changes

Test 5549 (RC2-only)

  • on the Source interface, submit multiple messages (3+) as a source
  • on the Journalist interface, reply to the source
  • log into app server and delete the reply file and the first message (with filename 1-something-something-msg.gpg) from the source's directory in /var/lib/securedrop/store
  • in the Journalist interface, on the source's collection page, select the reply, the first message, and one other message, and click Delete Selected and then Delete in the modal:
    • Deletion completes with all selected submissions removed from the list
    • in staging, errors are logged in /var/log/apache2/journalist-error.log for both missing files
    • In staging, an error is logged listing the total number of disconnected db entries
  • click Delete Source and Submissions and then Delete in the modal
    • the source collection is deleted and the source is no longer listed in the all sources page
    • the source directory no longer exists in /var/lib/securedrop/store

Upgrade testing only:

This was referenced Oct 7, 2020
Merged
Closed
Merged
@eloquence eloquence unpinned this issue Oct 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adds upgrade boxes for SecureDrop 1.6.0 freedomofpress/securedrop
3 participants
@zenmonkeykstop @emkll @rmol