Merge pull request #1414 from freedomofpress/456-whonix-deprecation

Prepares path for `sd-whonix` whonix removal

Author: legoktm

securedrop_salt/sd-proxy.sls

@@ -11,7 +11,6 @@
 {% import_json "securedrop_salt/config.json" as d %}
 
 include:
-  - securedrop_salt.sd-whonix
   - securedrop_salt.sd-workstation-template
 
 sd-proxy-dvm:
@@ -26,7 +25,7 @@ sd-proxy-dvm:
       - template: sd-small-{{ sdvars.distribution }}-template
     - prefs:
       - template: sd-small-{{ sdvars.distribution }}-template
-      - netvm: sd-whonix
+      - netvm: sys-firewall
       - template_for_dispvms: True
       - default_dispvm: ""
     - features:
@@ -41,7 +40,6 @@ sd-proxy-dvm:
         - sd-workstation
         - sd-{{ sdvars.distribution }}
     - require:
-      - qvm: sd-whonix
       - qvm: sd-small-{{ sdvars.distribution }}-template
 
 sd-proxy-create-named-dispvm:
@@ -53,12 +51,13 @@ sd-proxy-create-named-dispvm:
       - class: DispVM
     - prefs:
       - template: sd-proxy-dvm
-      - netvm: sd-whonix
+      - netvm: sys-firewall
       - autostart: true
       - default_dispvm: ""
     - features:
       - enable:
         - service.securedrop-mime-handling
+        - service.securedrop-arti
       - set:
           - vm-config.SD_MIME_HANDLING: default
           - servicevm: 1
@@ -79,5 +78,6 @@ sd-proxy-config:
     - name: sd-proxy
     - set:
         - vm-config.SD_PROXY_ORIGIN: http://{{ d.hidserv.hostname }}
+        - vm-config.SD_PROXY_ORIGIN_KEY: {{ d.hidserv.key }}
     - require:
       - qvm: sd-proxy-create-named-dispvm

tests/test_proxy_vm.py

@@ -12,7 +12,7 @@
 def qube():
     return QubeWrapper(
         "sd-proxy",
-        expected_config_keys={"SD_PROXY_ORIGIN", "SD_MIME_HANDLING"},
+        expected_config_keys={"SD_PROXY_ORIGIN", "SD_PROXY_ORIGIN_KEY", "SD_MIME_HANDLING"},
         enforced_apparmor_profiles={"/usr/bin/securedrop-proxy"},
     )
 

tests/test_vms_exist.py

@@ -114,19 +114,22 @@ def test_sd_proxy_config(self):
         vm = self.app.domains["sd-proxy"]
         assert vm.template == "sd-proxy-dvm"
         assert vm.klass == "DispVM"
-        assert vm.netvm.name == "sd-whonix"
+        assert vm.netvm.name == "sys-firewall"
         assert vm.autostart
         assert not vm.provides_network
         assert vm.default_dispvm is None
         assert "sd-workstation" in vm.tags
         assert vm.features["service.securedrop-mime-handling"] == "1"
+        assert vm.features["service.securedrop-arti"] == "1"
         assert vm.features["vm-config.SD_MIME_HANDLING"] == "default"
         self._check_service_running(vm, "securedrop-mime-handling")
+        self._check_service_running(vm, "securedrop-proxy-onion-config")
+        self._check_service_running(vm, "securedrop-arti")
 
     def test_sd_proxy_dvm(self):
         vm = self.app.domains["sd-proxy-dvm"]
         assert vm.template_for_dispvms
-        assert vm.netvm.name == "sd-whonix"
+        assert vm.netvm.name == "sys-firewall"
         assert vm.template == SD_TEMPLATE_SMALL
         assert vm.default_dispvm is None
         assert "sd-workstation" in vm.tags
@@ -156,6 +159,9 @@ def test_sd_app_config(self):
         assert vm.features["vm-config.SD_MIME_HANDLING"] == "sd-app"
         self._check_service_running(vm, "securedrop-mime-handling")
 
+        # Arti should *not* be running
+        self._check_service_running(vm, "securedrop-arti", running=False)
+
     def test_sd_viewer_config(self):
         vm = self.app.domains["sd-viewer"]
         nvm = vm.netvm