Skip to content

README.md

Latest commit

 

History

History
110 lines (77 loc) · 3.43 KB

README.md

File metadata and controls

110 lines (77 loc) · 3.43 KB

securedrop workstation proxy

securedrop-proxy is part of the SecureDrop Workstation project.

The code in this repository implements a proxy across two APIs: the Qubes RPC protocol and the SecureDrop API. This proxy is used to forward requests from the securedrop workstation client to the securedrop server.

The proxy is implemented in Rust. The tests are implemented in Python.

The proxy is packaged as the securedrop-proxy Debian package, which is installed in the sd-proxy VM after provisioning a SecureDrop Workstation.

Security Properties

Isolation

The SecureDrop Client/SDK can talk only to the proxy. The proxy talks only to the (onion) origin it's configured with.

Mitigates against: A compromised Client/VM tries to contact or exfiltrate data to an arbitrary origin.

Sanitization

The SDK talks JSON. The proxy translates JSON to HTTP and back again. (In v3, it will just construct a sanitized HTTP request and do the same for the response.)

Mitigates against: A compromised Client/VM constructs a malicious HTTP request. (The server returning a malicious HTTP response is already game over.)

How It Works

sequenceDiagram

participant c as securedrop-client
participant sdk as securedrop-sdk
participant p as securedrop-proxy
participant server as SecureDrop

c ->> sdk: job
activate sdk
sdk -->> p: JSON over qrexec
activate p
p -->> server: HTTP over Tor

server -->> p: HTTP over Tor

alt stream: false
p -->> sdk: JSON over qrexec
sdk ->> c: response
else stream: true
p -->> sdk: HTTP over qrexec
sdk ->> c: stream
else error
p ->> sdk: JSON over qrexec
sdk ->> c: error
end

deactivate p
deactivate sdk
Loading

The proxy works by reading a JSON object from the standard input, generating an HTTP request from that JSON, making that request against the remote server, and then either (a) writing to the standard output a JSON object which represents the remote server's response or (b) streaming the response directly to the standard output.

Quick Start

  1. Install Rust from Debian stable packages or via rustup
  2. Install Poetry
  3. Run make test to build the proxy using Rust and verify the installation

Managing Dependencies

We use Poetry to manage Python test dependencies for this project, and Cargo to manage Rust dependencies. See our documentation for managing dependencies.

Making a Release

See our documentation for releasing SecureDrop Workstation Debian packages.

Configuration

In development, the proxy should be run with the SD_PROXY_ORIGIN environment variable set, like:

$ export SD_PROXY_ORIGIN=http://${JOURNALIST_INTERFACE}.onion

In a production build with the qubesdb feature, the same value is expected in the Qubes feature vm-config.SD_PROXY_ORIGIN, exposed in QubesDB at /vm-config/SD_PROXY_ORIGIN. You can simulate this, including on Qubes 4.1+, with:

[user@dom0 ~] qubesdb-write sd-proxy -c write /vm-config/SD_PROXY_ORIGIN "http://${JOURNALIST_INTERFACE}.onion"

Tests

Unit tests can be run with make test.