Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creates scripts for regenerating rulesets #23

Merged
merged 3 commits into from
Dec 23, 2020
Merged

Creates scripts for regenerating rulesets #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3d216cf
Creates scripts for regenerating rulesets
Dec 8, 2020
72ee7df
Touch-ups to signing script
Dec 18, 2020
1a32619
Update Readme to reflect changes introduced by the generate-and-sign …
emkll Dec 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ private.pem
test-key.jwk
public.pem

# Ignore upstream EFF repo
https-everywhere/

# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
Expand Down
27 changes: 5 additions & 22 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,39 +26,22 @@ which will create `test-key.jwk` in your current working directory.

2. Add their domain name and the requested URL to the `onboarded.txt` via PR into this repository. We match the domain based on the landing page of the organization, comparing the `netloc` in a URL with structure `scheme://netloc/path;parameters?query#fragment`.

3. Next, perform a ruleset release as described below.

### Updating the onion URL for an organization (e.g. if they transition to v3 or rotate URLs)

1. First update their onion URL in the official SecureDrop directory using the existing process.

2. Next, perform a ruleset release as described below.

### Release process

Generate rulesets via the securedrop.org directory using the `sddir.py` script:
3. Next, generate and sign the update ruleset using the following command (requires signing key, please ping `@emkll` for assistance):

```
source .venv/bin/activate
python sddir.py
./scripts/generate-and-sign
```

This populates the `rulesets` directory. Inspect them and check all looks sane.

To sign the rules, see HTTPS Everywhere docs [here](https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#2-signing-rulesets-with-this-key) for the signing process. In the step where you remove all HTTPS Everywhere rules from `rules` in the git checkout of the `https-everywhere` git repo, you should copy all rules from `rulesets` generated from the above Python script. You do not need to create a trivial rule as described in the HTTPS Everywhere docs.

For the production rules this signing must be done via the official signing ceremony and the existing SD release key (JWK formatted version of the pubkey is in `release-pubkey.jwk`). There is some internal documentation with more detailed instructions on this, ping `@emkll` if you need to do this.

Once you have the signature, place the files to serve in the root of the git tree in this repository, and then update the directory listing in `index.html` using the `update_index.sh` shell script in this directory.
4. Commit all files generated by the script above and open a Pull Request to this repository. Once the PR is merged, the rulesets will automatically be deployed to production.

# Verifying
## Verifying changes

Inspect the diff. If it looks good, commit the resulting `index.html` and all files to be served. To test locally, run

make serve

And configure your browser to use `http://localhost:4080/https-everywhere/`.

# Deployment
## Deployment

Upon merge the container will be published to `quay.io/freedomofpress` and the new tag will be deployed automatically.
53 changes: 53 additions & 0 deletions scripts/generate-and-sign
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
#!/bin/bash
# Utility script to generate the SecureDrop HTTPS Everywhere rulesets,
# used for managing Onion Names for SecureDrop instances.
#
# Much of the business logic is taken verbatim from the EFF HTTPSE repo:
#
# https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#signing
#
set -e
set -u
set -o pipefail


# We need the upstream repo by EFF for a few select scripts.
https_everywhere_repo="https-everywhere"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this won't update/pull latest changes to the ruleset merge logic and the signing script, but i think it's fine given our test plan usually consists of the reviewer adding a new channel in the browser.

if [[ ! -d "$https_everywhere_repo" ]]; then
echo "Cloning upstream https-everywhere repo for scripts..."
echo "WARNING: Can take a long time! ~10m even on fast connections."
git clone https://github.com/EFForg/https-everywhere
else
echo "Found https-everywhere repo locally, reusing..."
fi

# Generate the SD rulesets
echo "Generating SecureDrop Onion Name rulesets..."
python3 sddir.py

# The EFF scripts require paths to be relative, so copy into subdirs.
echo "Copying SecureDrop Onion Name rulesets ..."
rm -f "${https_everywhere_repo}/rules/"*.xml
cp rulesets/*.xml "${https_everywhere_repo}/rules/"
cp public_release.pem "${https_everywhere_repo}/"

# Switch to upstream subdir, for access to tooling
pushd "$https_everywhere_repo"
sd_rules_dir="securedrop-rules"
rm -rf "$sd_rules_dir"
mkdir "$sd_rules_dir"
python3 utils/merge-rulesets.py
echo "Preparing rulesets for airgapped signature request..."
./utils/sign-rulesets/async-request.sh public_release.pem "$sd_rules_dir"

# Return to SD ruleset repo root
popd
echo "Copying rules to SecureDrop ruleset repo..."
cp -v "${https_everywhere_repo}/${sd_rules_dir}/"* .
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's one last step (that is always forgotten): update_index.sh which will update index.html

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aye, I've forgotten that one too. Opened #21 so CI nags us about it, but let's just add it to the script to avoid in the future.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: git adding the files could potentially be useful here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should have been more explicit: I agree with you that adding would be helpful, but adding via glob right now may introduce problems given #20

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some helpful messaging to the script with instructions on next steps. Not automatically 'git add'ing due to #20, but still an improvement, thanks for recommending.


echo "Updating index for SecureDrop rules..."
./update_index.sh

echo "Finished. Please review local changes, and commit as appropriate."
# TODO: Not automatically running 'git add *' due to
# https://github.com/freedomofpress/securedrop-https-everywhere-ruleset/issues/20