From 0703a9459e674bd081f5345ee3100f445b957eb8 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Fri, 24 May 2024 14:41:03 -0400 Subject: [PATCH 1/2] Support podman in `make dev-tor` Unfortunately `podman volume` and `docker volume` are not identical, podman will (sensibly) error if you try to create a volume that already exists unless you pass `--ignore`, which docker doesn't support and is only in podman 4.4+. So we check with `$DOCKER_BIN inspect` first and only create the volume if necessary. And apply the same changes to `make clean` as well. Co-authored-by: deeplow --- devops/clean | 12 ++++++++++-- securedrop/bin/dev-shell | 2 +- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/devops/clean b/devops/clean index ce7be26db6..f49e2b9aba 100755 --- a/devops/clean +++ b/devops/clean @@ -5,6 +5,14 @@ set -e set -u +USE_PODMAN="${USE_PODMAN:-}" + +# Allow opting into using podman with USE_PODMAN=1 +if [[ -n "${USE_PODMAN}" ]]; then + DOCKER_BIN="podman" +else + DOCKER_BIN="docker" +fi function remove_unwanted_files() { @@ -37,8 +45,8 @@ function remove_unwanted_files() { build/*.deb # Remove any Onion URL from make dev-tor - if docker volume inspect sd-onion-services > /dev/null; then - docker volume remove sd-onion-services + if $DOCKER_BIN volume inspect sd-onion-services > /dev/null; then + $DOCKER_BIN volume remove sd-onion-services fi # Remove extraneous copies of the git repos, pulled in diff --git a/securedrop/bin/dev-shell b/securedrop/bin/dev-shell index 35caccce99..8758dc7420 100755 --- a/securedrop/bin/dev-shell +++ b/securedrop/bin/dev-shell @@ -116,7 +116,7 @@ function docker_run() { if [ -n "${USE_TOR:-}" ]; then # Mount persistent onion services - docker volume create sd-onion-services + $DOCKER_BIN volume inspect sd-onion-services -f " " || $DOCKER_BIN volume create sd-onion-services DOCKER_RUN_ARGUMENTS="${DOCKER_RUN_ARGUMENTS} --volume sd-onion-services:/var/lib/tor/services" fi From 2d6fa7b0a2ffb670110659324b7c9eb30a03586a Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 1 Aug 2024 00:32:45 -0400 Subject: [PATCH 2/2] DNM: Power `make dev-tor` with Arti The authenticated onion service stuff is still unmerged (), so we build Arti from the MR and it works! Generating a config.toml file seems much cleaner than adding to `torrc` and generating `.auth` files. The main upside for this is that using Arti is cool and gets it more real-world testing. But the downside is that it takes a non-trivial amount of time to build Arti locally and maybe it's not worth doing until we have pre-package/downloadable binaries. :thinking: --- securedrop/bin/dev-deps | 74 ++++++++++--------- securedrop/bin/dev-shell | 2 +- .../dockerfiles/focal/python3/SlimDockerfile | 6 +- 3 files changed, 45 insertions(+), 37 deletions(-) diff --git a/securedrop/bin/dev-deps b/securedrop/bin/dev-deps index f91a61bf58..e0a72dc787 100755 --- a/securedrop/bin/dev-deps +++ b/securedrop/bin/dev-deps @@ -53,42 +53,46 @@ function maybe_create_config_py() { function maybe_use_tor() { if [[ -n "${USE_TOR:-}" ]]; then - echo "Setting up Tor..." - if [ ! -d "/var/lib/tor/services" ]; then - sudo chown -R debian-tor:debian-tor /var/lib/tor/services - else - sudo -u debian-tor mkdir -p /var/lib/tor/services + echo "Setting up Arti..." + + mkdir -p /var/lib/arti + if [ ! -f "/var/lib/arti/config.toml" ]; then + # create config.toml for SI and JI + openssl genpkey -algorithm x25519 -out /var/lib/arti/ji_priv.key + ji_auth_public=$(openssl pkey -in /var/lib/arti/ji_priv.key -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g') + cat > /var/lib/arti/config.toml << TOML +[proxy] +socks_listen = 9152 + +[storage] +# store temporarily +cache_dir = "/tmp/arti-cache" +# store persistently +state_dir = "/var/lib/arti/data" + +[onion_services."source"] +proxy_ports = [ + ["80", "127.0.0.1:8080"] +] + +[onion_services."journalist"] +proxy_ports = [ + ["80", "127.0.0.1:8081"] +] +[onion_services."journalist".restricted_discovery] +enabled = true +[onion_services."journalist".restricted_discovery.static_keys] +journalist = "descriptor:x25519:${ji_auth_public}" + +TOML fi - # append torrc lines for SI and JI - echo "HiddenServiceDir /var/lib/tor/services/source/" | sudo tee -a /etc/tor/torrc - echo "HiddenServicePort 80 127.0.0.1:8080" | sudo tee -a /etc/tor/torrc - echo "HiddenServiceDir /var/lib/tor/services/journalist/" | sudo tee -a /etc/tor/torrc - echo "HiddenServicePort 80 127.0.0.1:8081" | sudo tee -a /etc/tor/torrc - # start Tor to create service directories - sudo service tor start - if sudo test -f "/var/lib/tor/services/journalist_auth_token.prv.pem"; then - # recover x25519 key - sudo cat /var/lib/tor/services/journalist_auth_token.prv.pem | tee /tmp/k1.prv.pem - else - echo "Generating new client authorization..." - # create x25519 keypair and journalist client auth file - openssl genpkey -algorithm x25519 -out /tmp/k1.prv.pem - # store private auth token for regeneration after restarts - sudo cp /tmp/k1.prv.pem /var/lib/tor/services/journalist_auth_token.prv.pem - fi - grep -v " PRIVATE KEY" < /tmp/k1.prv.pem | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.prv.key - openssl pkey -in /tmp/k1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > /tmp/k1.pub.key - echo "descriptor:x25519:$(cat /tmp/k1.pub.key)" | sudo -u debian-tor tee /var/lib/tor/services/journalist/authorized_clients/client.auth - # shellcheck disable=SC2024 - sudo -u debian-tor cat /var/lib/tor/services/source/hostname > /var/lib/securedrop/source_v3_url - # kill and restart Tor to pick up authorized_clients change - # (restart a little flaky hence the kill) - sudo kill "$(cat /run/tor/tor.pid)"; sudo service tor restart + /opt/cargo/bin/arti -c /var/lib/arti/config.toml hss --nickname source onion-name -l none > /var/lib/securedrop/source_v3_url + /opt/cargo/bin/arti -c /var/lib/arti/config.toml proxy & # print out the addresses and the JI client auth key - si_address="$(sudo -u debian-tor cat /var/lib/tor/services/source/hostname)" - ji_address="$(sudo -u debian-tor cat /var/lib/tor/services/journalist/hostname)" - ji_authkey="$(sudo -u debian-tor cat /tmp/k1.prv.key)" + si_address="$(/opt/cargo/bin/arti -c /var/lib/arti/config.toml hss --nickname source onion-name -l none)" + ji_address="$(/opt/cargo/bin/arti -c /var/lib/arti/config.toml hss --nickname journalist onion-name -l none)" + ji_auth_private=$(grep -v " PRIVATE KEY" /var/lib/arti/ji_priv.key | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g') sdkey_fpr="$(gpg --with-fingerprint --with-colons ./tests/files/test_journalist_key.pub | grep -e '^fpr' | tr -d 'fpr:')" cat > /tmp/qubes-config.json < # 1) Download rustup-init and verify it matches hardcoded checksum @@ -20,6 +20,7 @@ ENV RUSTUP_VERSION 1.24.3 ENV RUSTUP_INIT_SHA256 3dc5ef50861ee18657f9db2eeb7392f9c2a6c95c90ab41e45ab4ca71476b4338 ENV RUSTUP_HOME /opt/rustup ENV CARGO_HOME /opt/cargo +#ENV ARTI_VERSION 1.2.5 RUN TMPDIR=`mktemp -d` && cd ${TMPDIR} \ && curl --proto '=https' --tlsv1.2 -OO -sSf https://static.rust-lang.org/rustup/archive/${RUSTUP_VERSION}/x86_64-unknown-linux-gnu/rustup-init \ @@ -28,6 +29,9 @@ RUN TMPDIR=`mktemp -d` && cd ${TMPDIR} \ && ./rustup-init --default-toolchain=${RUST_VERSION} --profile minimal -y \ && cd && rm -rf ${TMPDIR} +# --version ${ARTI_VERSION} +RUN /opt/cargo/bin/cargo install --locked --git https://gitlab.torproject.org/gabi-250/arti arti --branch onion-svc-auth --features onion-service-service,restricted-discovery + COPY requirements requirements RUN python3 -m venv /opt/venvs/securedrop-app-code && \ /opt/venvs/securedrop-app-code/bin/pip3 install --no-deps --require-hashes -r requirements/python3/bootstrap-requirements.txt && \