Fixes #440 install securedrop-log and setup

Also add related tests.

Makefile

@@ -62,7 +62,7 @@ sd-app: prep-salt ## Provisions SD APP VM
 
 sd-whonix: prep-salt ## Provisions SD Whonix VM
 	sudo qubesctl --show-output state.sls sd-whonix
-	sudo qubesctl --show-output --skip-dom0 --targets sd-whonix-buster-template,sd-whonix state.highstate
+	sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15,sd-whonix state.highstate
 
 sd-viewer: prep-salt ## Provisions SD Submission Viewing VM
 	sudo qubesctl --show-output state.sls sd-viewer

dom0/sd-app-files.sls

@@ -18,3 +18,18 @@ install-securedrop-client-package:
       - securedrop-client
     - require:
       - sls: fpf-apt-test-repo
+
+install-securedrop-log-package:
+  pkg.installed:
+    - pkgs:
+      - securedrop-log
+    - require:
+      - sls: fpf-apt-test-repo
+
+sd-rsyslog-for-sd-app:
+  file.managed:
+    - name: /etc/sd-rsyslog.conf
+    - source: "salt://sd-rsyslog.conf.j2"
+    - template: jinja
+    - context:
+        vmname: sd-app

dom0/sd-clean-all.sls

@@ -27,6 +27,12 @@ remove-dom0-sdw-config-files:
       - /home/{{ gui_user }}/Desktop/securedrop-launcher.desktop
       - /home/{{ gui_user }}/.securedrop_launcher
 
+sd-cleanup-whonix-gw-15:
+  cmd.run:
+    - names:
+      - qvm-run whonix-gw-15 'sudo apt remove -y securedrop-log'
+      - qvm-run whonix-gw-15 'sudo rm -f /etc/rsyslog.d/sdlog.conf'
+
 sd-cleanup-sys-firewall:
   cmd.run:
     - names:

dom0/sd-devices-files.sls

@@ -24,3 +24,19 @@ sd-devices-install-libreoffice:
 sd-devices-install-package:
   pkg.installed:
     - name: securedrop-export
+
+
+sd-devices-install-securedrop-log-package:
+  pkg.installed:
+    - pkgs:
+      - securedrop-log
+    - require:
+      - sls: fpf-apt-test-repo
+
+sd-rsyslog-for-sd-devices:
+  file.managed:
+    - name: /etc/sd-rsyslog.conf
+    - source: "salt://sd-rsyslog.conf.j2"
+    - template: jinja
+    - context:
+        vmname: sd-devices

dom0/sd-log-template-files.sls

@@ -6,6 +6,16 @@ include:
 install-securedrop-log-package:
   pkg.installed:
     - pkgs:
+      - redis-server
+      - redis
       - securedrop-log
     - require:
       - sls: fpf-apt-test-repo
+
+redis:
+  service.running:
+    - enable: True
+
+securedrop-log:
+  service.running:
+    - enable: True

dom0/sd-log.sls

@@ -57,3 +57,11 @@ sd-log-private-volume-size:
         qvm-volume resize sd-log:private {{ d.vmsizes.sd_log }}GiB
     - require:
       - qvm: sd-log
+
+# Permit the SecureDrop Proxy to manage Client connections
+sd-dom-dom0-securedrop.Log:
+  file.prepend:
+    - name: /etc/qubes-rpc/policy/securedrop.Log
+    - text: |
+        @tag:sd-workstation sd-log allow
+        @anyvm @anyvm deny

dom0/sd-proxy-template-files.sls

@@ -48,6 +48,13 @@ install-securedrop-proxy-package:
     - require:
       - sls: fpf-apt-test-repo
 
+install-securedrop-log-package:
+  pkg.installed:
+    - pkgs:
+      - securedrop-log
+    - require:
+      - sls: fpf-apt-test-repo
+
 {% import_json "sd/config.json" as d %}
 
 install-securedrop-proxy-yaml-config:
@@ -58,3 +65,11 @@ install-securedrop-proxy-yaml-config:
     - context:
         hostname: {{ d.hidserv.hostname }}
     - mode: 0644
+
+sd-rsyslog-for-sd-proxy:
+  file.managed:
+    - name: /etc/sd-rsyslog.conf
+    - source: "salt://sd-rsyslog.conf.j2"
+    - template: jinja
+    - context:
+        vmname: sd-proxy

dom0/sd-rsyslog.conf.j2

@@ -0,0 +1,3 @@
+[sd-rsyslog]
+remotevm = sd-log
+localvm = {{ vmname }}

dom0/sd-viewer-files.sls

@@ -28,3 +28,18 @@ sd-viewer-install-libreoffice:
         attempts: 3
         interval: 60
     - install_recommends: False
+
+sd-viewer-install-logging:
+  pkg.installed:
+    - pkgs:
+      - securedrop-log
+    - require:
+      - sls: fpf-apt-test-repo
+
+sd-rsyslog-for-sd-viewer:
+  file.managed:
+    - name: /etc/sd-rsyslog.conf
+    - source: "salt://sd-rsyslog.conf.j2"
+    - template: jinja
+    - context:
+        vmname: sd-viewer

dom0/sd-whonix-template-files.sls

@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+##
+# sd-whonix-files
+# ========
+#
+# Installs configuration packages specific to the sd-whonix
+# used for network calls.
+#
+##
+
+include:
+  - fpf-apt-test-repo
+
+sd-whonix-install-logging:
+  pkg.installed:
+    - pkgs:
+      - securedrop-log
+    - require:
+      - sls: fpf-apt-test-repo
+
+sd-rsyslog-for-sd-whonix:
+  file.managed:
+    - name: /etc/sd-rsyslog.conf
+    - source: "salt://sd-rsyslog.conf.j2"
+    - template: jinja
+    - context:
+        vmname: sd-whonix

dom0/sd-workstation-template-files.sls

@@ -11,6 +11,14 @@ sd-workstation-template-install-kernel-config-packages:
     - require:
       - sls: fpf-apt-test-repo
 
+
+sd-workstation-install-securedrop-log-package:
+  pkg.installed:
+    - pkgs:
+      - securedrop-log
+    - require:
+      - sls: fpf-apt-test-repo
+
 # Ensure that paxctld starts immediately. For AppVMs,
 # use qvm.features.enabled = ["paxctld"] to ensure service start.
 sd-workstation-template-enable-paxctld:

dom0/sd-workstation.top

@@ -9,14 +9,17 @@ base:
     - sd-upgrade-templates
     - sd-dom0-qvm-rpc
     - sd-sys-whonix-vms
+    - sd-log
     - sd-devices
     - sd-gpg
     - sd-proxy
     - sd-viewer
     - sd-app
     - sd-whonix
     - sd-remove-unused-templates
-    - sd-log
+
+  sd-log-buster-template:
+    - sd-log-template-files
   sd-devices-buster-template:
     - sd-devices-files
   sd-gpg:
@@ -33,12 +36,12 @@ base:
     - sd-sys-firewall-files
   sd-whonix:
     - sd-whonix-hidserv-key
-  sd-log-buster-template:
-    - sd-log-template-files
   securedrop-workstation-buster:
     - sd-workstation-template-files
   sys-usb:
     - sd-usb-autoattach-add
+  whonix-gw-15:
+    - sd-whonix-template-files
 
   # "Placeholder" config to trigger TemplateVM boots,
   # so upgrades can be applied automatically via cron.

scripts/provision-all

@@ -17,6 +17,12 @@ sudo qubesctl --show-output --skip-dom0 --targets sys-firewall state.sls sd-sys-
 echo "Set up dom0 config files, including RPC policies, and create VMs"
 sudo qubesctl --show-output state.highstate
 
+echo "Setup sd-log-buster-template vm first"
+sudo qubesctl --show-output --skip-dom0 --targets sd-log-buster-template state.sls sd-log-template-files
+# Provision whonix-gw-15 with log additions because it isn't tagged with sd-workstation (we don't want it removed after a make clean)
+sudo qubesctl --show-output --skip-dom0 --targets whonix-gw-15 state.highstate
+
+
 # Format list of all VMs comma-separated, for use as qubesctl target
 # We run this after dom0's highstate, so that the VMs are available for listing by tag.
 all_sdw_vms_target="$(qvm-ls --tags sd-workstation --raw-list | perl -npE 's/\n/,/g' | perl -npE 's/,$//' )"

tests/base.py

@@ -112,3 +112,19 @@ def _fileExists(self, remote_path):
             return False
 
         return True
+
+    def logging_configured(self, vmname=""):
+        """
+        Make sure rsyslog is configured to send in data to sd-log vm.
+        """
+        if not vmname:
+            vmname = self.vm_name
+        self.assertTrue(self._fileExists("/etc/sd-rsyslog.conf"))
+        # Then we check the configuration inside of the file.
+        file_content = self._get_file_contents("/etc/sd-rsyslog.conf")
+        static_content = """[sd-rsyslog]
+remotevm = sd-log
+localvm = {0}
+""".format(vmname)
+        self.assertEqual(file_content, static_content)
+        self.assertTrue(self._package_is_installed("securedrop-log"))

tests/test_app.py

@@ -49,6 +49,9 @@ def test_sd_client_apparmor(self):
         results = json.loads(self._run(cmd))
         self.assertTrue(results['profiles']['/usr/bin/securedrop-client'] == "enforce")
 
+    def test_logging_configured(self):
+        self.logging_configured()
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_App_Tests)

tests/test_proxy_vm.py

@@ -40,6 +40,9 @@ def test_whonix_ws_repo_enabled(self):
         """
         assert self._fileExists(self.whonix_apt_list)
 
+    def test_logging_configured(self):
+        self.logging_configured()
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_Proxy_Tests)

tests/test_sd_devices.py

@@ -19,6 +19,9 @@ def test_sd_export_package_installed(self):
         self.assertTrue(self._package_is_installed("printer-driver-brlaser"))
         self.assertTrue(self._package_is_installed("securedrop-export"))
 
+    def test_logging_configured(self):
+        self.logging_configured(vmname="sd-devices")
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_Devices_Tests)

tests/test_sd_whonix.py

@@ -58,6 +58,9 @@ def test_sd_whonix_repo_enabled(self):
         """
         assert self._fileExists(self.whonix_apt_list)
 
+    def test_logging_configured(self):
+        self.logging_configured()
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_Whonix_Tests)

tests/test_viewer.py

@@ -19,6 +19,9 @@ def test_sd_viewer_evince_installed(self):
     def test_sd_viewer_libreoffice_installed(self):
         self.assertTrue(self._package_is_installed("libreoffice"))
 
+    def test_logging_configured(self):
+        self.logging_configured()
+
 
 def load_tests(loader, tests, pattern):
     suite = unittest.TestLoader().loadTestsFromTestCase(SD_Viewer_Tests)

tests/test_vms_exist.py

@@ -121,6 +121,7 @@ def test_sd_log_config(self):
         self.assertFalse(vm.template_for_dispvms)
         self._check_kernel(vm)
         self._check_service_running(vm, "paxctld")
+        self._check_service_running(vm, "securedrop-log")
         self.assertFalse(vm.template_for_dispvms)
         self.assertTrue('sd-workstation' in vm.tags)
         # Check the size of the private volume